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-i^This  report  represents  the  current  state  of  a 
bibliography  on  the  subject  of  protection  in  computer 
operating  systems.  •Current  state*  means  that  the 
bibliography  is  incomplete;  it  is  a byproduct  of  a research 
project  in  the  field  of  protection,  recently  completed.  The 
bibliography  is  being  published  in  the  belief  that  it  may  be 
useful  as  is,  and  that  it  might  serve  as  the  basis  of  a 
continuing  effort  to  collect,  annotate  and  index  the  more 
significant  documents  (reports,  papers,  articles,  books, 
etc.)  in  the  field.  Ideally  (especially  in  these  days  of 
computerized  information  bases  and  communication  networks) 
workers  in  a research  field  will  collaborate  in  developing 
and  sharing  their  bibliographies — not  only  with  simple 
annotations  like  this  one  but  with  more  extensive  comments 
and  reviews.  Perhaps  this  document  can  be  a contribution  in 
that  direction  and  will  stimulate  owners  of  other  "working" 
bibliographies  to  publish  theirs.  As  noted  below,  this 
bibliography  is  online  and  may  be  accessed  via  the  ARPANETi/D 
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INTRODUCTION 


This  report  represents  the  current  state 
subject  of  protection  in  computer  operating 
means  that  the  bibliography  is  incomplete; 
research  project  in  the  field  of  protection,  recently 
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is,  and  that  it  might  serve  as  the  basis  of  a continuing  effort  to 
collect,  annotate  and  index  the  more  significant  documents  (reports, 
papers,  articles,  books,  etc.)  in  the  field.  Ideally  (especially  in 
these  days  of  computerized  information  bases  and  communication 
networks)  workers  in  a research  field  will  collaborate  in  developing 
and  sharing  their  bibliographies — not  only  with  simple  annotations  like 
this  one  but  with  more  extensive  comments  and  reviews.  Perhaps  this 
document  can  be  a contribution  in  that  direction  and  wi  i i stimuiate 
owners  of  other  "working"  bibliographies  to  publish  theirs.  As  noted 
below,  this  bibliography  is  online  and  may  be  accessed  via  the  ARPANET. 

Because  this  bibliography  was  incidental  to  other  work  rather  than  an 
end  In  itself,  litle  time  was  spent  in  trying  to  make  It  comprehensive, 
or  In  supplying  extensive  annotations.  It  will  also  be  noted  that 
relatively  little  material  has  been  added  during  the  past  year. 

With  respect  to  its  subject,  this  bibliography  was  always  intended  to 
cover  only  a limited  set  of  topics  within  the  larger  fields  of  operating 
system  and  computer  security,  specifically  the  following: 

Operating  system  requirements,  policies  and  mechanisms,  for  insuring 
user  and  operating  system  program  and  data  integrity  and 
conf ident i a I i ty. 

The  best  way  to  get  a feel  for  the  topics  included  Is  to  scan  the  index 
(see  below).  The  following  peripheral  topics  have  been  specifically 
excluded  (except  where  they  occur  together  with  the  main  subject  above): 


User  identification  and  authentication 

Encrypt  ion 

Hardware  reliability 

Error  detection  methods 

System  generation  and  initialization 

Human  integrity  (e.g. , administration  and  operations  staff) 
Physical  Installation  security 


Communications  security 

Broader  economic,  social,  and  political  issues 

A revieued  document  uas  also  not  included  if  the  bulk  of  its  subject 
matter,  as  a uhole  and  by  section,  uas  other  than  that  described  above, 
even  though  it  may  have  contained  relevant  fragments. 

Gray  areas  exist  in  uhich  the  boundaries  of  the  protection  field  are  not 
ucl  I defined.  Ultimately,  probably  no  completely  satisfactory 
definition  of  protection  exists  that  stops  short  of  including  the  entire 
constraint ive  aspect  of  programming  and  operating  systems,  i.e.,  of 
including  policies  and  mechanisms  for  all  kinds  of  unintended 
occurrences. 

Selectivity  has  also  been  based  on  quality  and  significance.  The 
attempt  uas  made  to  exclude  documents  deemed  not  to  be  potentially 
useful  for  future  reference  personally,  and  uhich  could  not  be 
recommended  to  students  of  protection.  Exclusion  of  such  entries  from 
published  bibliographies  should  be  a professional  ethic,  even  at  the 
expense  of  exposing  the  often  subjective  Judgments  of  their  editors. 

In  general,  a reviewed  document  has  been  included  in  this  bibliography 
if  it  uas  judged  to  contribute  original  and  potentially  helpful 
observations,  insights,  ideas,  or  descriptions:  or  to  express  old  ones 
in  neu  and  potentially  helpful  uays. 

A document  uas  rejected  for  any  of  the  follouing  "editorial"  reasons: 

It  has  been  superseded  by  a revision,  or  its  essence  has  been 
republished  in  a more  accessible  source. 

It  is  totally  obsolete  or  is  of  historical  Interest  only. 

Its  editorial  quality  is  inadequate. 

As  a result  of  the  level  of  effort  put  into  it  and  the  restrictions 
applied,  only  173  entries  appear.  Approximately  154  documents  that 
qualified  by  topic  (at  least  to  some  extent)  uere  revleued  and  rejected 
or  included  and  later  dropped.  In  addition,  about  65  entries  are 
currently  on  my  list  of  unseen  documents  uhose  titles  suggest  relevance. 


A unique  feature  of  this  bibliography  is  its  Index.  An  Indication  of 
the  maturity  of  a field  of  research  is  the  extent  to  uhich  Its  technical 
terms  are  defined  and  used  consistently.  Access  to  definitions  and 
usages  is  especially  important  to  students  in  the  field.  Also,  the 
technical  terms  used  usually  comprise  a fair  index  to  the  content  of  a 
document.  For  these  reasons,  and  to  experiment  uith  the  actual 

usefulness  of  such  an  index,  as  each  document  uas  revieued  its  key 
terms,  concepts,  and  topics  uere  noted  as  a set  of  keyuords.  Little 
attempt  has  been  made  to  standardize  the  forms  occurring  in  the  index, 
or  to  insure  consistency,  for  example  by  going  back  to  revise  the  -m) 
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keyword  set  of  a document  reviewed  two  or  three  years  earlier.  None  of 
the  massaging  ordinarily  needed  to  enhance  the  usefulness  of  an  index 
has  been  applied  to  this  one;  like  the  bibliography  itself,  it  is 
published  in  its  current  unfinished  state. 

This  document  corresponds  to  a file  residing  in  the  computer  at  ISl  whose 
ARPANET  hostname  is  ISIB,  and  which  runs  under  the  TENEX  Operating  System. 
The  TENEX  filename  of  this  document  is  <REPORTS>PBIB. TXT;  it  may  be 
accessed  over  the  ARPANET  via  an  FTP  program. 

Each  entry  in  the  bibliography  has  the  following  fields: 

An  identifier  local  to  this  bibliography. 

Author’s  (authors’)  name(s)  as  appearing  on  the  title  page  of  the 
document. 

Title  of  the  document. 

Source  data  fields:  periodical  issue,  publishing  agency,  publisher’s 
document  identifier,  date,  pages,  etc.  In  some  cases  an  NTIS  order 
number  is  also  provided. 

An  annotation  (usually),  starting  with  the  characters  " t*"  and  ending 
with  which  attempts  to  summarize  the  most  significant  topics  or 

features  of  the  document  in  about  one  sentence. 

Keywords  or  lists  of  keywords,  enclosed  by  angle  brackets  "<"  and 
and  separated  (within  lists)  by  semicolons.  These  can  also  occur  as 
part  of  the  annotation  fields  of  an  entry. 

Fields  of  an  entry  are  separated  by  double  spaces,  except  that  the  local 
identifier  and  the  author-name  field  are  separated  by  a tab  character. 
Entries  themselves  are  separated  by  null  lines. 

The  following  abbreviations  occur  in  the  bibliography: 

ACMnn  Proceedings,  ACM  Conference  19nn 

CACn  Communications  of  the  ACfl 

IBI17Ad  Data  Security  and  Data  Processing,  Vol.  A Study  Results: 
Massachusetts  Institute  of  Technology  IBM  G320-1374  74. B 

ICRS75  Proceedings,  International  Conference  on  Reliable  Software, 

April  21-23,  1975 

IUCA73  Proceedings,  International  Uorkshop  on  Computer  Architecture, 
Grenoble,  June  2G-28,  1973 

IUP0S74  Proceedings,  International  Uorkshop  on  Protection  in  Operating 
Systems,  Rocquencour t,  France,  August  13-14,  1974.  Inst) tut  de 
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I Recherche  d’ Informat  ique  et  d'Automat  ique,  BP  B - Rocquencourt  78150 

Le  Chesnay,  France 

FJCCnn  AFIPS  Conf.  Proceedings  19nn  Fall  Joint  Computer  Conference 
NCCnn  AFIPS  Conf.  Proceedings  19nn  National  Computer  Conference 
NT15  National  Technical  Information  Service 

PL0S73  Proc.  of  ACM  SIGPLAN-SIGOPS  Interface  Meeting!  Programming 
Languages  - Operating  Systems,  April  9-12,  1973 

SJCCnn  AFipS  Conf.  Proceedings  19nn  Spring  Joint  Computer  Conference 

S0SP75  Proc.  of  the  Fifth  Symposium  on  Operating  Systems  Principles, 
November  19-21,  1975 


5 


BIBLIOGRAPHY 


Abb47G  Abbott,  R.P.;  Chin,  J.S.;  Donnelley,  J.E.;  Konigsford,  U.L.; 

Tokubo,  S. ; Uebb,  O.A.  & Linden,  T.A.  (ed. ) Security  analysis  and 
enhancements  of  computer  operating  systems.  National  Bureau  of  Standards 
Institute  for  Computer  Sciences  and  Technology  NBSIR  76-1041  76.4  68p 

[*  Brief  informal  discussions  of  security  flaws  and  enhancements;  brief 
design  overviews  and  descriptions  of  flaws  found  in  IBM’s  OS/MVT,  the 
UNIVAC  1100  series  operating  system,  and  the  TENEK  operating  system 
for  the  DEC  PDP-10.  *]  <security  enhancements,  types;  errors,  integrity, 
taxonomy/categor i es/examp I es> 

AnibH77  Ambler,  Allen  L.  & Hoch,  Charles  G.  A study  of  protection  in 
programming  languages.  SIGPLAN  Notices  12,3(77.3)  (Proc.  ACM  Conf.  on 
Language  Design  for  Reliable  Software)  25-40  I*  Compares  protection 
features  of  Pascal,  Concurrent  Pascal,  Euclid,  CLU,  and  Gypsy,  with 
respect  to  obstract  data  types;  modules;  scope  rules;  parameter  passing>, 
using  the  "prison  mail  system"  problem  as  an  example.  >v)  <access  control 
features,  language;  classes;  protection  principles,  languages;  selective 
access> 

Ames74  Ames,  Stanley  Richard,  Jr.  File  attributes  and  their  relationship 
to  computer  security.  Case  Western  Reserve  Univ.  Dept,  of  Computing  and 
Information  Sciences  Report  No.  1167  74.6  89p  I*  Successively  refined 

models  of  a tree-structured  file  system  to  include  security  requirements 
governing  observation  and  modification  of  file  attributes.  *)  oecurity 
events/axioms;  repositories;  agents;  security  classes;  observe  relation; 
modify  relation;  clearance;  executors;  clusters;  view  relation;  alter 
relation;  manipulators;  accumulations;  looks-at  relation;  changes  relation; 
mandatory/di scret ionary  contro I s> 

Ande72a  Anderson,  James  P.  Information  security  in  a multi-user  computer 
environment.  Advances  in  Computers  Vol.  12  Academic  Press  1972  1-36 

t*  Includes  a broad  survey  of  problems,  models,  and  mechanisms.  *1 
<isolation  mechanisms;  two  state  operations;  i/o  channels;  virtual 
machines;  program  identity;  implied  sharing;  descriptors;  classification, 
tier  i ved> 

Ande72b  Anderson,  James  P.  Computer  security  technology  planning  study. 
ESD- TR-73-51 , vol.  II.  72.10  137p.  I*  Detailed  research  and  development 

proposal,  to  include  security  models,  design  of  a <sccurity  kerne  I >,  and 
architecture,  hardware,  and  systems  studies.  *1  <reference  monitor; 
descriptor-based  architecture;  vulnerabilities,  classes;  implied  sharing 
vulnerabi  I i ty;  scavenging  problem;  incomplete  parameter  checking; 
asynchronous  interrupt  vulnerability:  asynchronous  i/o  vulnerability; 
trojan  horse  problem;  file  authorization;  authorization,  files; 
hierarchical  access  control;  data  management  systems;  aggregation; 
inference;  procedural  control8> 


6 


i 

I 

i 

I 


Andr74  Andrews,  G.R.  COPS — a mechanism  for  computer  protection. 

1UPOS74  5-25  Also,  Cornell  Univ.  Dept,  of  Computer  Science  CU-CSD-74- 
214  74.10  35p  t*  <C3pabi I i ty-based  protection  mechani8m>.  »v]  <actor, 

process/procedure:  mechanism,  def.;  principle  of  control;  manager  problem; 
mutual  suspicion;  confined  computation,  def.;  protection  state;  monitors; 
primitives,  protection  state/environment;  information  structures,  control/ 
computing;  capabilities;  attributes,  access/control;  environment;  basic 
monitor;  message  confinement;  protection,  logical  vs.  physical> 

Att+7G  Attanasio,  C.R.;  Markstein,  P.U.  & Phillips,  R.J.  Penetrating  an 
operating  system:  a study  of  VM/370  integrity.  IBM  Systems  J.  15,1(1975) 
102-115 

Atta73  Attanasio,  C.R.  Virtual  machines  and  data  security.  Proc.  ACM 
SIGARCH-SIGOPS  Workshop  on  Virtual  Computer  Systems,  73.3  ACM  1973 
205-209  [*  <Virtual  machines,  security  advantage8>.  »v]  < intent  ion, 

exp  I ici t> 

Atta74  Attanasio,  C.R.  An  additional  protection  ring  for  virtual 
machine  systems.  IBM  Research  RC  5517  (#22525)  74.11.14  12p 

[>v  Proposed  method  of  allowing  communication  between  virtual  machines  by 
extending  each  with  a virtual  control  store  (VCS)  and  virtual 
microprocessor,  protected  from  the  user.  *1 

Bar457  Barron,  D.14.;  Fraser,  A.G.;  Hartley,  D.F.;  Landy,  B.  & Needham, 
R.M.  File  handling  at  Cambridge  University.  SJCCG7  153-157  t*  Early 
<file  access  control  scheme>.  *)  <part  owner> 

Bauffl75  Baum,  I.R.  The  architectural  design  of  a secure  data  base 
management  system.  (Thesis)  Ohio  State  Univ.  Computer  and  Information 
Science  Research  Center  1975 

BelL73a  Bell,  D.E.  & LaPadula,  L.J.  Secure  computer  systems:  mathematical 
foundations.  Mitre  Corp.  MTR-2547,  vol.  I ESD-TR-73-278,  vol.  I 73.11 
37p  NT  IS:  AD-770  758  (iV  Formal  model  defined  from  the  viewpoint  of 
general  systems  theory,  wl  <security,  def.;  classifications;  need-to-know 
categories;  access  attributes:  request  sequences:  decision  sequences; 
access  matrices;  state  8equences> 

BclL73b  Bell,  D.E.  & LaPadula,  L.J.  Secure  computer  systems:  a 
mathematical  model.  Mitre  Corp.  MTR-2547,  vol  II  ESO-TR-73-278,  vol.  II 
73.11  58p  NTIS:  AD-771  543  (*  Enhancement  of  the  model  presented  in 

[BelL73a];  <privacy  restr iction8>  are  shown  to  be  enforced  under  certain 
state  transformations,  a)  <access  attributes;  access  matrix;  control 
access;  error  decision;  question  decision;  security  condition;  A-property; 
security  principle;  interactivity  principle;  tranquility  principle: 
classifications:  categories  (access  privileges):  request  sequences; 
decision  sequences;  state  sequences;  rule,  def.;  rules  of  operation> 


Bel  174  Bell,  D.E.  Secure  computer  systems:  a refinement  of  the 
mathematical  model.  Mitre  Corp.  ESD-TR-73-278,  Vol.  Ill  MTR-2547,  Vol. 
Ill  74.5 


.■j 


■ » 
■i 

1 f 

n 


BelL76  Bell,  D.E.  & LaPadula,  L.J.  Secure  computer  system;  unified 
exposition  and  Multics  interpretation.  Mitre  Corp.  MTR-2997 
ESD-TR-75-30B  76.3  129p 

BelU74  Belady,  L.A.  & Ueissman,  C.  Experiments  with  secure  resource 
sharing  for  virtual  machines.  1UP0S74  27-33  I*  Results  and  methodology 

of  VM/3G0  evaluation.  *]  <isolation;  sharing,  information  vs.  other 
resources;  channel  programs,  vulnerabilities;  asynchronous  modification 
of  instructions;  security,  def.> 

BingBS  Bingham,  Harvey  14.  Security  techniques  for  EBP  of  multilevel 
classified  information.  Burroughs  Corp.  4424-B5-112  65.12  18Bp  NTIS; 

AD-47G  557  [iv  Includes  broad  treatment  of  early  hardware  and  software 
mechanisms.  *1  <user  control  profile;  program  reference  table;  file 
control  code> 

Bis+75  Bisbey,  Richard,  II;  Popek,  Gerald  & Carlstedt,  Jim  Protection 
errors  in  operating  systems;  inconsistency  of  a single  data  value  over 
time.  Univ.  of  Southern  California  Information  Sciences  Institute 
ISI/SR-75-4  75.12  IGp  I*  Type  of  protection  error  in  which  the  value 

of  a variable  can  be  changed  between  two  operations  for  which  it  is  assumed 
to  remain  constant.  vJ  <cons i stency,  single  variables;  t i me-of-check-to- 
time-of-use  error;  parameter  passing;  errors,  examples> 

Bran73  Branstad,  Dennis  K.  Privacy  and  protection  in  operating  systems. 
Computer  6,1(73.1)  43-46  Also,  Operating  System  Review  7,1(73.1)  9-17 

(*  Report  of  Workshop  on  Privacy  and  Protection  in  Operating  Systems, 
Princeton,  NJ,  June  12-14,  1972.  *]  <generic  weaknesses;  residue; 
parameter  checking,  incomplete;  asynchronous  i/o;  trojan  horse  attack; 
cover  t channe I s> 

Brat7b  Bratt,  Richard  Glenn  Minimizing  the  naming  facilities  requiring 
protection  in  a computing  utility.  MIT  Project  MAC  TR-15G  Also, 
Honeywell  Information  Systems  Federal  Systems  Operations  ESD-TR-7G-1G1 
75.9  129p  I*  Simplification  of  the  Multics  security  kernel  by  removing 

<reference  name  epace>  management  and  directory  pathname  resolution.  *1 
<segment  as  unit  of  protection;  descriptors;  security  kernel,  name 
management  functions;  directory  initiation;  detectability;  directories, 
protection;  rings,  protection;  access  control  lists;  lying  to  prevent 
detectabi I i ty> 

BroS71  Browne,  Peter  S.  & Steinauer,  Dennis  0.  A model  for  access 
control.  1971  ACM  SIGFIDET  Workshop:  Data  Description,  Access  and  Control 
241-262  (v<  Model  for  enforcing  privacy  restrictions  on  the  basis  of  object 

<c  I ass i f i cat i on>  and  category,  active  object  <authority>,  and  <access 
lists>.  *]  <protection  groups;  access  clique;  authorization;  access 
control;  categories;  high  water  mark;  objects;  contextual  sensitivity; 
pr i V i I ege  I i st> 
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Brou71  Browne,  Peter  5.  Data  privacy  and  integrity:  an  overview.  1971 
ACM  SIGFIDET  Workshop:  Data  Description,  Access  and  Control  237-240 
(Vf  Basic  distinctions.  *1  <privacy;  integrity,  data;  input  validation; 
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isolation;  identification;  author izat  ion> 

Burk74  Burke,  Edmund  L.  Synthesis  of  a software  security  system.  ACM74 
G48-B58  t*  Software  verification  schema  based  on  four  < I eve  Is  of 
representat i on> — mathematical  model,  <formal  sped f icat i on>,  algorithms, 
and  machine  language;  sketch  of  its  application  to  the  MITRE  security 
model  and  a <security  kernel>  for  the  POP  11/45.  Vfl  <reference  monitor> 

Car+71  Carroll,  John  M. ; Martin,  Robert;  McHardy,  Lorine  4 Moravec,  Hans 
Mul  t i -dimensional  security  program  for  a generalized  information  retrieval 
system.  FJCC71  571-577  Hv  Scheme  for  controlling  access  at  the  file, 
record  and  item  levels.  *]  <item  key;  item  code;  record  key;  record  code; 
data  base  scheme;  record  level  control;  field  level  control> 

Car  176  Carlstedt,  Jim  Protection  errors  in  operating  systems:  validation 
of  critical  conditions.  Univ.  of  Southern  California  Information  Sciences 
Institute  ISI/SR-7G-5  7G.5  33p  t*  Type  of  protection  error  in  which 

insufficient  validation  exists  to  insure  that  an  assumed  condition 
holds.  *]  <validation  errors;  errors,  examples;  validity  vs.  integrity; 
cr  i t i ca I i ty;  i nf I uencabi I i ty/ inf luent i al i ty> 

Cha+75  Chamberiin,  D.D.;  Gray,  J.N.  & Traiger,  l.L.  Views,  authorization, 
and  locking  in  a relational  data  base  system.  NCC75  425-430  Hv  “Views 
prescribe  what  can  be  seen.  Authorization  prescribes  what  can  be  done  to 
what  is  seen.  Locks  are  a dynamic  kind  of  authorization  which  prescribe 
what  can  be  done  to  what  is  seen  at  this  instant."  >v]  <views,  data  base; 
authorization  types,  data  base;  grant;  revocation;  access  control,  data 
base;  value  dependent  author izat ion> 

ChaS76  Chandersekaran,  C.S.  & Shankar,  K.S.  On  virtual  machine 
integrity.  (Letter)  IBM  Systems  Journal  15,3(7G)  2G4-2B9  t*  Criticism 

of  the  imprecise  terminology  and  the  conclusion  of  tDonM75) . >v] 
<hierarchical  ly  structured  systems;  security,  def.;  privacy,  def.; 
integrity,  def.;  mechanism  requirements;  isolation,  def.;  security  kernel> 

ClaR75  Clark,  David  D.  & Redell,  David  D.  Protection  of  information 
in  computer  systems.  Tutorial,  Compcon  75  Fall  IEEE  Computer  Society 
1975  2G0p 

CohJ75  Cohen,  Ellis  & Jefferson,  David  Protection  in  the  Hydra 
Operating  System.  Operating  Systems  Review  9,5(1975)  (S0SP75)  141-1G0 

[*  Description  of  the  Hydra  protection  mechanisms  and  their  application 
to  several  well-known  <protection  problems>.  *1  <protection,  access/ 
control:  decisions,  prior/future;  decisions,  unilateral/negotiated; 
procedural  embedding;  capabilities;  ownership;  subsystems;  amplification; 
rights,  generic/auxiliary;  C-list;  templates;  domains;  seal/unseal;  rights, 
required/new;  mutual  suspicion;  modification;  propagation;  conservation; 
confinement;  initialization;  revocation,  immediate/permanent/selective/ 
part iai /temporal/sharing;  freezing;  accounting;  lost  objects;  allase8> 

Con-t72a  Conway,  R.U.;  Maxwell,  U.L.  & Morgan,  H.L.  Dn  the  implementation 
of  security  measures  in  information  systems.  CACM  15,4(72.4)  211-220 
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l-fc  How  access  control  decisions  based  on  <static  privacy  conditions>  can 
be  made  more  efficiently  at  compile  time.  >v]  occess  matrix}  virtual 
user;  data  dependent  conditions;  compile  time  access  control;  security  vs. 
privacy;  decision  rule;  column  system;  diagonal  system;  compile-time 
check i ng> 

Con+72b  Conway,  R.U.;  Maxwell,  U.L.  & Morgan,  H.L.  Selective  security 
capabilities  in  ASAP — a file  management  system.  SJCC72  1181-1185 
(*  <Data  base  scheme>  incorporating  both  <record  level  control>  via 
occess  control  lists>  and  <field  level  control>  via  a < I ock-and-key 
mechani8m>.  >vl  <directory  of  authorized  users;  security  class,  field; 
compile- time  check ing> 

Coss72  Cosserat,  D.C.  A capability  oriented  mu  1 1 i -processor  system  for 
real-time  applications.  Proc.  First  Intern.  Conf.  on  Computer 
Commi.nication.  IEEE  Computer  Society  or  ACM  282-283  [*  Includes  a brief 

description  of  the  <capability  archi  tecture>  of  the  Plessey  System  250.  *] 
<;3rotected  subrout  ine3> 

Coss74  Cosserat,  D.C.  A data  model  based  on  the  capability  protection 
mechanism.  ItJP0S74  35-53  Ivf  Capabilities  are  treated  as  protected  data 
structure  pointers  that  can  be  freely  copied.  *]  <capability  segments; 
segment  as  unit  of  protection;  control,  transfers  of;  capabilities  vs. 
pointer3> 

DalD74  Daley,  Robert  C.  & Donohue,  James  P.  Security  and  authorization 
--semantics  and  examples.  IBM74d  135-149  Iiv  Suggestions  for  improving 
IBM’s  Resource  Security  System,  among  other  things  by  allowing 
disseminated  control  of  authorization  and  providing  for  <protected 
subsystems>,  including  <execute-only  acces9>  to  programs.  iSrl  <security 
officer;  user  groups;  file  groups;  authorization  classes;  access  types> 

DaINGS  Daley,  R.C.  & Neumann,  P.G.  A general-purpose  file  system  for 
secondary  storage.  FJCCG5  213-229  tiV  Early  description  of  the  Multics 
file  system.  *]  <hierarchical  access  control;  file  directories;  access 
paths;  usage  attributes;  access  control  lists;  trap  list> 

Den+74  Denning,  D.E.;  Denning,  P.J.  & Graham,  G.S.  Selectively  confined 
subsystems.  IUP0S74  55-Gl  I*  Implementation  of  a <confinement 
mechanism>  satisfying  several  necessary  properties,  and  its 
insufficiency.  *1  <confinement  problem;  error  conditions;  protected 
subsystems;  selective  confinement;  engagement;  mutual  exclusion,  customer 
processes;  closure,  confidentiality;  nonleakage;  transitivity  of 
engagement;  declassification;  disengagement;  nonretention;  covert  channels; 
compile- time  check ing> 

Denn77  Denning,  Dorothy  E.  & Denning,  Peter  J.  Certification  of  programs 
for  secure  information  flow.  CACM  20,7(77.7)  504-513  [*  <Lattice 

mode  I > of  <information  flow>,  and  <cer t i f icat ion  mechanism>  based  on 
it  that  verifies  the  security  of  information  flow  in  a program.  Including 
the  <confincment  proper ty>.  *1  <security  classes;  flow  relation/pol Icies; 
property  lattice> 
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DennG4  Dennis,  J.B.  Program  structure  in  a multi-access  computer.  MIT 
Project  MAC  TR-11  19G4  t*  Introduces  the  notion  of  <sphere9  of 

protect ion>.  *] 

DennGG  Dennis,  Jack  B.  Segmentation  and  the  design  of  mul t iprogrammed 
computer  systems.  J.  of  the  ACM  12,4(65.10)  589-602  t*  "...Hence  it 

is  preferable  that  a protection  mechanism  operate  in  the  name  space  of  a 
computation..."  *1  <segfflent  as  unit  of  protection;  spheres  of  protect ion> 

Dcnn75  Denning,  Dorothy  E.  Secure  information  flow  in  computer  systems. 
(Thesis)  Purdue  Univ.  Dept,  of  Computer  Science  CSD  TR-145  75.5  177p 

Denn7Ga  Denning,  Dorothy  E.  A lattice  model  of  secure  information  flow. 
CACM  19,5(76.5)  236-243  (iv  Formulation  of  information  flow  security 

requirements  in  terms  of  lattice  properties;  run-time  and  compile-time 
enforcement  mechanisms  for  static  and  dynamic  security  environments.  *1 
<information  flow,  expl ici t/impi  ici  t;  security  classes;  security 
clearances;  binding,  static/dynamic;  data  mark  machine;  compile-time/ 
run-time  enforcement> 

Denn76b  Denning,  Peter  J.  Fault  tolerant  operating  systems.  ACM  Computing 
Surveys  8,4(76.12)  359-389  (vc  Broad  tutorial  and  survey:  how  <capabillty 

archi tectures>  facilitate  the  techniques  required  for  <confinement  of 
errors>.  iv)  <process  isolation;  environment,  open/closed;  capability  list; 
access  code;  name,  local/system;  access  list;  storage  capability;  enter 
capability;  multiple  domain  processes;  protected  entry;  domain  changing; 
attenuation  of  privilege;  privilege  state  mechanism;  privilege  number; 
descriptors,  privacy;  virtual  machines;  resource  control;  decision 
verification;  encapsulation,  process> 

DenVGG  Dennis,  Jack  B.  4 Van  Horn,  Earl  C.  Programming  semantics  for 
mul t iprogrammed  computations.  CACM  9,3(66.3)  143-155  (ft  Introduces  the 

notion  of  <capability  liBt>.  *)  <6pheres  of  protection;  c-list;  segment 
as  unit  of  protect ion> 

DonM75  Donovan,  J.J.  & Madnick,  S.E.  Hierarchical  approach  to  computer 
system  integrity.  IBM  Systems  J.  14,2(1975)  188-202  Ivf  Argues 

probabilistically  that  a <hierarchical ly  structured  operating  system>  on 
a <virtual  machine  monitor>  can  be  more  secure  than  a conventional 
multiprogramming  system.  *)  <integrity,  def.;  security,  def.;  redundant 
sccur i ty> 


Down73  Downey,  Peter  J.  Secure  military  computing  systems.  In  Schell, 
Roger  R. ; Downey,  Peter  J. ; and  Popek,  Gerald  J.  Preliminary  Notes  on 
the  Design  of  Secure  Military  Computer  Systems.  Air  Force  Systems 
Command  Electronic  Systems  Division  Directorate  of  Information  Systems 
Technology  MCI -73-1  73.1  47p  [*  <Military  security  mode  I > focusing  on 

the  structure  of  <acces8  functions>  and  of  a <8ecurity  kernel>.  *1 
<objects;  subjects;  access  attributes  (types);  access  relation;  access 
monitor;  security  state;  update  monitor;  constraints,  updation  (policy); 
consistency,  policy:  access  control  lists;  locks  and  keys;  compartments; 
need  to  know;  user  responsibility;  control  attribute;  owner  attribute; 


II 
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I 
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accesses,  normal  vs.  security  update;  breaches,  internal  vs.  eKternal> 

Elli74  Ellis,  Clarence  A.  Analysis  of  some  abstract  measures  of 
protection  in  computer  systems.  Univ.  of  Colo.  Department  of  Computer 
Science.  CU-CS-043-74  74.5  4ep  NTIS:  PB-735  297  [*  Defines 

absolute,  relative,  and  minimum  <degree  of  protection>  in  terms  of 
assignments  of  <access  codes>  to  subjects  and  objects,  gives  assignments 
that  maximize  these,  and  applies  this  to  hierarchical  systems.  >v] 

< iso  I at  ion  I eve  I > 

Engl72  England,  D.tl.  Architectural  features  of  System  250.  Infotech 
State  of  the  Art  Report  on  Operating  Systems.  1972  12p  I*  Description 

of  the  <capability  archi  tecture>  of  the  Plessey  System  250.  »vl 
<privileged  mode,  nonnecessity;  capability  registers;  enter  access> 

Engl74  England,  D.fl.  Capability  concept  mechanism  and  structure  in 
System  250.  1UP0S74  B3-82  [*  ".. .everything. .. is  reducible  to  data 

structures. ..  bui  1 1 up  from... an  interconnected  network  of 
capabilities..."  »v]  <capability  architecture;  capability  registers, 
rea I /v i r tua  I ; load/store,  capabilities;  central  capability  segment;  enter 
capability;  privileged  mode,  nonnecessity;  resources  as  protected  data 
structure3> 

EvaLB7  Evans,  David  C.  & Leclerc,  Jean  Yves  Address  mapping  and  the 
control  of  access  in  an  interactive  computer.  SJCCB7  23-30  t*  Proposal 
for  integrating  access  control  into  the  (virtual)  addressing  and  parameter- 
binding mechanisms  of  an  operating  system.  *)  <parameter  spaces;  entry, 
protected;  access  path  control;  address  map,  control  information> 

FatarBS  Fabry,  R.S.  Preliminary  description  of  a supervisor  for  a machine 
oriented  around  capabilities.  Univ.  of  Chicago  Institute  of  Computer 
Research  Quarterly  Progress  Report  No.  18,  1-B  1-97  B8.8  t*  Sketch  of 

design  and  implementation.  *]  <supervisor  as  interaction  controller; 
capabilities;  capability  registers;  segment  as  unit  of  protection;  virtual 
machines;  capability  segments;  access  codes;  capabilities,  user;  enter 
acces3> 

Fabr71  Fabry,  R.S.  List-structured  addressing.  (Thesis)  Univ.  of 
Chicago  1971 

Fabr73  Fabry,  R.S.  Dynamic  verification  of  operating  system  decisions. 
CACM  IB, 11 (73.11)  B59-BB8  [*  An  independent  consistency  check  for  every 

decision  involving  process  interactions.  *1  <isolation;  message  system> 

Fabr74  Fabry,  R.S.  Capability-based  addressing.  CACM  17,7(74.7) 

403-412  [*  Rationale,  comparison,  and  implementation  considerations  of 

schemes  in  which  addresses  are  capabilities  containing  unique  segment 
identifiers,  frl  <capabi  I i ty-based  addressing;  capabilities, 
representation  integrity,  approaches;  capabilities  and  storage  allocation; 
enter  access/ instruct ion> 

Fent73  Fenton,  J.S.  Information  protection  systems.  (Thesis)  Cambridge 


1' 

i' 


i 

I 


I "i 

\ s 


i 

f 


12 


ir' 

I* 

t ' 

i: 


Un  i V . 

Computer 

Laboratory  1973 

Fent74 

Fenton, 

J.  S.  Memory  less  subsystems. 

Computer  J. 

17,2(74.5) 

143-147 

Fer+74 

Ferr ie. 

J. ; kaiser,  C. ; Lanciaux,  D.  & 

Martin,  B. 

An  extensible 

structure  for  protected  systems’  design.  IUP0S74  83-105  [*  Object  and 

type  construction/destruction  and  call/return  operations  in  a <capability- 
based  system,  extensible>.  tv]  <agents;  objects;  mutual  suspicion; 
transition  type;  descriptor  (capability);  encapsulated  type;  case/uncase 
operators;  domains;  environment  of  domain;  operators,  strong/ueaK;  kernel; 
type  transformation;  call/return  operations,  domain> 

Fer+75  Fernandez,  E.B.;  Summers,  R.C.  & Coleman,  C.D.  An  authorization 
model  for  a shared  data  base.  Proc.  1975  SIGMOD  Intern.  Conf.  9p 
[vr  Access  matrix  is  extended  to  allou  entries  to  contain  predicates  that 
depend  on  any  data  in  the  data  base;  most  checking  is  done  at  compile 
time,  vr]  <data  base  access  control;  access  matrix,  extended;  access 
predicates;  allocate  (access  type);  functional  access;  administer  (access 
type);  inherit  (access  type);  use  (access  type);  compile- time  check ing> 

FerS76  Fernandez,  Eduardo  B.  & Summers,  Rita  C.  Integrity  aspects  of  a j 

shared  data  base.  NCC7B  819-827 

Frie70  Friedman,  T.D.  The  authorization  problem  in  shared  files.  IBM 
Systems  J.  9,4(1970)  258-280  (*  Broad  treatment  of  access  control 

requirements  and  considerations,  recommending  <compartmental ization>  and 
data  element  <tagging>.  *)  <integrity,  system;  authorization,  def.; 
privilege  structure,  complexity;  names,  concealment;  passuords,  file; 
privileges,  program/user;  field,  protected;  isolation,  authorization 
mechanism;  single-tag  rule;  group  (protection  category);  levels  of 
classification,  undesirability;  authority  hierarchies,  undesirability; 
clique,  user;  matrix,  user-privilege;  user  profile> 

Gain72  Gaines,  R.  Stockton  An  operating  system  based  on  the  concept  of 
a supervisory  computer.  CACM  15,3(72.03)  150-15G  I*  <File  access 

control>  via  a <lock-and-key  scheme>.  *)  <protection  categories,  file/ 
process,  read/Mrite> 

GeoS73  George,  James  E.  4 Sager,  Gary  R.  Variables — bindings  and 
protection.  SIGPLAN  Notices  8,12(73.12)  18-29  I*  Six  "mini -languages" 

differing  in  their  schemes  for  controlling  the  scope  and  accessibility  of 
names.  *1  <names,  scope/shar ing/protect ion> 

Gla+75  Gladney,  H.M.;  Uorley,  E.L.  & Myers,  J.J.  An  access  control 
mechanism  for  computing  resources.  IBM  Systems  J.  14,3(1975)  212-228 

Grah88  Graham,  Robert  M.  Protection  in  an  information  processing  utility. 

CACM  11,5(08.5  ) 305-309  t*  Protection  requirements,  and  a model  1 

featuring  <rings  of  protection>.  >v)  <privileged  instructions,  deficiency;  ^ j 

necd-to-knou  principle;  tuo-mode  systems,  deficiency;  layers  of  protection,  ] 

advantages;  segment  as  unit  of  protection;  access  bracket;  call  bracket;  ( 
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ring  bracket;  user  descriptor;  gatekeeper;  calls,  cross-ring;  asynchronous 
modification  of  argument8> 

GraD72  Graham,  G.Scott  S Denning,  Peter  J.  Protection — principles  and 
practice.  SJCC72  417-429  t*  <Access  matrix  model>;  enforcement  rules, 
protection  commands,  applicability,  and  implementation  considerations.  Virl 
<levels  of  protection;  mutually  suspicious  subsystems;  memoryless 
subsystems;  completeness  requirement;  objects;  subjects;  access  rules, 
requirements;  protection  state;  access  attributes;  monitor,  object  type; 
identification,  subjects;  update  rules,  access  matrix;  copy  flag;  owner 
attribute;  control  attribute;  transfer  command;  grant  command;  copy  flag, 
transfer-only;  domains;  hierarchies,  subject,  advantages;  universal 
subject;  untrustworthy  subsystems;  indirect  access;  debugging  problem; 
trust;  trustworthy  subjects;  revocabi I i ty;  c-list;  access  control  list; 
authority  list;  lock  list;  key> 

Grah71  Graham,  G.Scott  Protection  structures  in  operating  systems. 
(Masters  Thesis)  Univ.  of  Toronto  Department  of  Computer  Science  71.8 

GriU7G  Griffiths,  Patricia  P.  4 Uade,  Bradford  14.  An  authorization 
mechanism  for  a relational  data  base  system.  IBM  Research  RJ  1721 
(#25154)  7B.2.11  32p  (*  Mechanism  providing  for  restricted  sharing  of 

data  bases  by  allowing  the  granting  and  revocation  of  privileges  and  the 
definition  and  sharing  of  <views>.  >v]  <data  base  privacy  mechanisms; 
revocation,  recursive;  grants,  labeled> 

Har+75  Harrison,  Michael  A.;  Ruzzo,  Halter  L.  4 Ullman,  Jeffrey  D. 
Protection  in  operating  systems.  CACM  19,8(76.8)  461-471  t*  <Safety> 

of  a protection  system  modelled  by  a given  general  <access  matrix  model> 
is  undccidable.  *]  <rights,  generic;  configuration,  protection  system; 
own  right;  leaking,  rights;  undecidability,  safety> 

HarH75  Hartson,  H.R.  4 Hsiao,  D.K.  Languages  for  specifying  protection 
requirements  in  data  base  systems.  Part  I.  Dhio  State  Univ.  Computer 
and  Information  Sciences  Research  Center  DSU-CISRC-TR-74-10  75.1  B7p 
NT  IS:  AD/A-006  280  I*  Models  the  <author izat ion  process>  and  the 
<enforcement  process>  in  a <security  space>  of  users,  authorizers, 
resources,  operations,  and  value  states.  >v)  <access  control  model; 
authorization  specification,  validity/consistency;  access  condition; 
protection  specification  language;  access  matrix  model,  limitations; 
ownership,  absolute/conditional;  system  administrator;  withdrawal  of 
rights;  subownership;  memoryless  specifications;  access  history;  authorized 
subspace;  dominance,  access  history;  access  decision  timing;  domain  of 
authorization;  auxiliary  invocation,  domain;  validation  of  inputs; 
progressive  authorization;  amplification;  extended  resources;  franchise, 
user /operat i on/resource  unit;  partial  rejection> 

Harr75  Harrison,  Michael  A.  Dn  models  of  protection  In  operating  systems. 
Lecture  Notes  in  Computer  Science.  Vol  32;  Mathematical  Foundations  of 
Computer  Science  1975  (J.  Becvar,  ed.)  Spr inger-Ver lag  1975  46-60 

Hart75  Harston,  R.  Rex  Languages  for  specifying  protection  requirements 
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in  data  base  systems — a semantic  model.  Ohio  State  Univ.  Computer  and 
Information  Science  Research  Center  C1SRC-TR-75-B  75.8  248p  NTIS: 

AD-018  284/eGA 

Hel+7S  Held,  G.D.;  Stonebraker,  h.R.  & Uong,  E.  INGRES — a relational 
data  base  system.  NCC75  409-416  I*  Access  is  controlled  and  integrity 
assured  by  means  of  <query  modi f i cat ion>.  *1  <access  control,  data  base; 
integrity,  data  base;  restrict  statement;  integrity  constraint> 

HinS75  Hinke,  T.H.  & Schaefer,  Marvin  Secure  data  management  system. 

System  Development  Corp.  TM- (L) -5407/007/00  RADC-TR-75-2eB  75.11  197p 

NTIS:  AD-A019  201 

Hoff 71  Hoffman,  Lance  J.  The  formulary  model  for  flexible  privacy  and 
access  controls.  FXC71  587-601  t*  Proposes  a <formulary>  procedure  to 
intercept  all  accesses  to  the  data  element  to  uhich  it  is  attached  and 
to  determine  the  right  of  access,  possibly  via  a dialogue  uith  the  user.  Vrl 
<control  profile,  user;  authority  item;  data  dependent  deci8ions> 

HolB76  Hoi  I inguor th,  Dennis  & Bisbey,  Richard,  II  Protection  errors  in 
operating  systems:  <al location/deal  location  residuals>.  Univ.  of 
Southern  fal i fornia  Informat  ion  Sciences  Institute  ISI/SR-76-7  76.6 

17p  [*  Type  of  protection  error  in  uhich  a residual  from  a previous 

allocation  remains  accessible  after  a neu  allocation,  tvl  <residual, 
content/access;  errors,  examples> 

Hsi+74  Hsiao,  D.K.;  Kerr,  D.S.  4 McCauley,  E.J.,  111  A model  for  data 
secure  systems  (Part  II.  Ohio  State  Univ.  Computer  and  Information  ij 

Science  Research  Center  OSU-CISRC-TR-73-8  74.2  44p  (Vf  General  /! 

protection  specifications  can  be  used  to  define  users*  vieus  (and 
accessibility  domains)  of  a data  base,  since  they  have  the  same  form  as 
retrieval  specifications  (Boolean  functions).  >v] 

Hsia68  Hsiao,  David  K.  A file  system  for  a problem  solving  facility. 

(Thesis)  University  of  Pennsylvania  The  Moore  School  of  Electrical  i 

Engineering  Report  No.  68-33  68.5  157p  NTIS:  AD-671  826  [*  Both  <file  | 

access  control>  and  <record  level  control>,  based  on  information  in  the  - 

<authority  i tem>  associated  uith  each  user.  «rl  <login  program,  file;  | 

ouner;  authentication,  file  login  program>  : 

HsiM74  Hsiao,  O.K.  & McCauley,  E.J.,  III  A model  for  data  secure  systems. 

(Part  II)  Ohio  State  Univ.  Computer  & Information  Science  Research 
Center  OSU-CISRC-TR-74-7  74.10  45p 

IBMx71  (anon)  OS/MVT  uith  resource  security:  general  information  and 
planning  manual.  IBM  GH20-1058-0  71.12  28p  (a  Description  of 

Resource  Security  System  features,  ^rl  <security  levels;  access  category;  ' 

need  to  knou;  security  officer;  definition  of  controlled  resources; 

grouping  of  users  and  resources;  authorization;  program-restricted  data  I 

sets;  associative  programs> 


Jan874  Janson,  Philippe  Arnaud  Removing  the  dynamic  linker  from  the 
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security  kernel  of  a computing  utility.  (Thesis)  MIT  Project  MAC  TR-132 
74.6  128p  [tv  Protection  implications  and  design  of  a <dynamic  linker> 

external  to  the  security  kernel,  in  terms  of  an  abstract  storage,  name 
space,  and  protection  model;  implementation  in  flultics.  »v)  <principle  of 
least  privilege;  security  kernel,  criteria;  object;  subject;  capability; 
gate;  protected  subsystem;  name  space  model;  system  initialization;  link 
fault  handling;  static  storage  allocation;  rings,  protection> 

Jone73  Jones,  Anita  K,  Protection  in  programmed  systems.  (Thesis) 

Carnegi e-Mel  Ion  Univ.  Department  of  Computer  Science  73.6  145p  NTIS: 

AD-765  535  (*  Model  of  a protection  mechanism  based  on  <environment8>; 

collections  of  <constituent  rights>,  associated  with  objects  or  their 
components;  <declared  rights>,  associated  uith  procedures;  and  <dynamic 
rights>,  associated  with  procedure  invocations.  *)  <environment  crossing 
operators;  protection,  def.;  object;  access;  type;  enforcement  rule;  right 
transfer  rule/primitives;  capability;  ownership;  access  matrix; 
environment  binding  rule;  environment  representations;  checking,  dynamic 
vs.  static;  parameter  passing;  amplification;  protection  state, 
transformations,  closure;  memoryless  procedure;  dynamic  type  creation; 
subsystem;  suitability  factor;  need-to-know  principle;  accuracy  measure; 
protection  systems,  comparison;  policy  vs.  mechanism> 

JonL75  Jones,  Anita  K.  4 Lipton,  Richard  J.  The  enforcement  of  security 
policies  for  computation.  Operating  Systems  Review  9,5(75)  (S0SP75) 
197-206  [*  For  any  viewing  program  and  any  security  policy  there  exists 

a sound  and  <maximally  complete  mechanism>,  but  which  cannot  always  be 
constructed;  construction  of  sound  <survei I lance  mechanisms>.  *1  <v 
functions;  o operators;  high  water  mark;  policy,  def.;  mechanism,  dsf . ; 
soundness;  completeness;  confinement;  memoryless  subsystems;  data  security; 
observability  postulate;  information  control  vs.  access  control> 

JonL76a  Jones,  Anita  4 Lipton,  Richard  J.  (Letter)  Dperating  Systems 
Review  10,2(76.4)  7-8  (*  Reply  to  (Rote76]  on  the  <soundne88>  of  the 

privacy  restriction  mechanism  at  issue.  *1 

JonL76b  Jones,  Anita  K.  4 Liskov,  Barbara  H.  A language  extension  for 
controlled  access  to  shared  data.  IEEE  Trans,  on  Software  Engineering 
SE-2, 4 (76. 12)  277-285  I*  Rules  enforceable  at  compile  time  governing 

the  binding  of  <capabi I i t ies  (variables)>  to  strongly  typed,  structured 
objects,  and  implementing  a wide  class  of  controlled  sharing  policy.  *] 
<compi le-t ime  checking;  type-module;  qualified  type;  binding  rules; 
amp  I i f i cat i on> 

JonU75  Jones,  Anita  k.  4 Uulf,  Uilliam  A.  Towards  the  design  of 
secure  systems.  Sof tware--Pract  ice  and  Experience  5,4(75.10-12)  321-336 

(iv  Distinction  between  policies  and  mechanisms;  capability-based 
mechanisms;  the  Hydra  mechanism;  types  and  examples  of  policies  that 
can  be  implemented  in  Hydra.  vJ  <objects;  security  policy,  def.; 
appropriateness,  policy;  requirements,  protection  mechanisms;  data  base 
protection;  capabilities,  extended;  mechanisms,  functions;  amplification; 
local  name  space;  rights,  kernel/auxiliary;  capability  transfer  operations; 
environment  crossing  operations;  checkrights;  ampi i fyr ights;  template; 


filtering  policy;  gatekeeper> 

I 

( 

KaniU77  Kam,  John  B.  & Ullman,  John  0.  A model  of  statistical  databases 
and  their  security.  ACM  Trans,  on  Database  Systems  77.3 

ICarS74  Karger,  Paui  A.  & Scheii,  Roger  R.  MULTICS  security  evaluation: 
vulnerability  analysis.  USAF  Electronic  Systems  Division  ESD-TR-74-193, 
Vol.  II  74.6  l&Sp  [*  Overview  of  Multics  security  controls;  detailed 
descriptions  of  several  vulnerabilities  identified,  confirmed,  and 
exploited  during  an  early  1973  analysis.  »v]  <multi- level  security; 
master  mode;  access  control  lists;  rings,  protection;  subverter  program; 
vulnerabilities,  descriptions;  validation  of  arguments,  insufficient; 
penetration  techniques;  trap  doors,  classes;  procedural  vulnerabilities; 
utility  programs,  dump/patch;  compiler  trap  doors;  gatekeeper> 

ICohG75  Kohout,  L.  & Gaines,  B.R.  The  logic  of  protection.  Lecture  Notes 
in  Computer  Science,  Vol.  34  GI — 5.  Jahrestagung  Spr inger-Ver lag  1975 
736-751 

Lack74  Lackey,  R.D.  Penetration  of  computer  systems.  An  overview. 
Honeywell  Computer  J.  8,2(74)  81-85  (*  Categories  of  <penetration 

technique8>  and  some  common  <error  types>.  *1 

Lam47/  Lampson,  B. ; Needham,  R. ; Randall,  R.  & Schroeder,  M.  Protection, 
security,  reliability.  Dperat ing  Systems  Review  11,1(77,1)  12-14 

(»v  Things  to  be  done;  misconceived  problems.  *)  <absolute  vs.  defensive 
protection;  numerical  measure  of  8ecurity> 

LampB7  Lampson,  Butler  Uright  Scheduling  and  protection  in  an  interactive 
mu  1 1 i -processor  system.  (Thesis)  Univ.  of  Calif.,  Berkeley  67.3  82p 

(*  ^Control  protection>  via  a per-process  vector  of  allowable  instructions; 
<memory  protection>  implications  of  various  addressing  schemes.  *1 

Lamp68  Lampson,  Butler  U.  A scheduling  philosophy  for  multiprocessing 
systems.  CACN  11,5(68.5)  347-360.  I*  Includes  the  scheme  for  <control 

protect ion>  presented  in  [Lamp67] . *) 

Lamp69  Lampson,  B.U.  Dynamic  protection  structures.  FJCC69  27-38 
[>v  Detailed  treatment  of  <capabi I i t ies>  and  <domains>,  especially  with 
respect  to  problems  of  <control  transfer8>  and  sharing.  *1  <access  key; 
rings;  gates;  proprietary  programs;  passwords,  file;  access  control  lists> 

Lamp71  Lampson,  Butler  U.  Protection.  Dperating  Systems  Review 
8,1 (74.1) 

18-24  I*  Use  and  possible  implementations  of  the  <access  matrix>.  »vl 
<domain;  message  system;  identification;  object  system;  access  attributes; 
copy  flag;  revocation;  ownership;  capability  list;  access  key;  access  lock 
list;  access  control  procedure,  per  object> 

L amp73  Lampson,  Butler  U.  A note  on  the  <confinement  problem>.  CACM 
16,10(73.10)  613-615  (*  The  problem  of  preventing  a <8ervlce  program> 
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from  leaking  Information.  *]  <covert  channels;  memory  I essncss;  transitivity 
of  confinement;  masking,  channels> 

Lamp74  Lampson,  Butler  U.  Redundancy  and  robustness  in  memory  protection. 
Proc.  IFIP  Congress  74,  Vol.  1 Nor th-Ho I land/American  Elsevier  1974 
128-132  (*  Approaches  to  protection  as  the  control  of  efficient 

communication  betueen  memory-sharing  domains,  as  opposed  to  protection  as 
-j  isolation  of  message-sending/receiving  domains.  *1  <domain;  chattels; 

protection,  def.;  protection,  absolute/defensive;  isolation;  message  model; 
memory  environment;  scope  of  domain;  communication  by  value  vs.  pointer; 
authentication;  trademarks;  registrar;  memory  protection;  sharing,  slou/ 
f ast ; capabi I i t i es> 

LamS75  Lampson,  Butler  U.  S Sturgis,  Houard  E.  Reflections  on  an 
operating  system  design.  CACM  19, 5(76. B)  251-265  [*  Strengths  and 

weaknesses  of  the  capability-based  Cal  operating  system  in  retrospect.  <f] 
<capab i I i t i es;  domains;  c-lists;  seals;  access  keys> 

Laue74  Lauer,  H.C.  Protection  and  hierarchical  addressing  structures. 
IUP0S74  137-148  (>v  Advantages/disadvantages  and  protection  implications 

of  <nested  address  space  systems>  versus  <global  object  name  systems>.  >v) 
<scope  of  names> 

Less68  Lesser,  V.R.  A multi-level  computer  organization  designed  to 
separate  data-accessing  from  computation.  Stanford  Univ.  Computer 
Science  Department  Tech.  Rep.  CS90  68.3 

Lind73  Lindsay,  Bruce  Suggestions  for  an  extensible  capability-based 
architecture.  IUCA73  20p  (iv  Possibilities  for  the  representation, 
protection,  passing,  creation,  interpretation,  & encapsulation/retrieval 
of  <capabi I i tie3>.*l 

Lind74  Linden,  T.A.  Different  goals  for  protection.  1UPDS74  149-153 
[*  A protection  mechanism  should  (1)  provide  for  rigorous  data  security, 

(2)  facilitate  the  construction  of  reliable  software,  (3)  support  the 
implementation  of  special  protection  mechanisms,  and  (4)  aid  in 
guaranteeing  the  protection  mechanism’s  own  integrity  and  correctness.  *1 
<goals,  protection  mechanisms> 

Lind76a  Linden,  Theodore  A.  Protection:  a nuisance  or  an  opportunity? 
Digest  of  Papers,  COnPCON  Fal  I 76  IEEE  30-35 

Lind76b  Linden,  Theodore  A.  Operating  system  structures  to  support 
security  and  reliable  software.  ACM  Computing  Surveys  8,4(76.12) 

409-445  IVf  Tutorial  on  small  protection  domains  implemented  via 
<capabi  I i ty-based  addres3ing>;  <extended-type  objects>;  and  the 
applicability  of  these  to  reliable  software  and  system  security.  »v] 
<sccurity,  def.;  subjects;  objects;  access  modes;  access  right;  domains; 
capabilities;  access  matrix  model;  domain  switching;  protected  procedure; 
enter  right;  mutual  suspicion;  principle  of  least  privilege;  defensive 
programming;  Trojan  horse  problem;  intermediaries;  directories;  revocation; 
amplification;  indirection;  extended-type  manager;  modularity; 


18 


d i scret  ionary/nondi Bcret ionary  controls;  classification  systems> 

Lipn72  Lipner,  Steven  B.  Computer  security  research  and  development 
requirements.  The  MITRE  Corporation  MTR-142  73.2  <reference  monitor; 

need  to  Knou;  segment,  basis  for  access  control> 

Lipn75  Lipner,  Steven  B.  A comment  on  the  confinement  problem. 

Operating  Systems  Review  9,5(1975)  (S0SP75)  192-19G  [*  Formalization 

of  confinement  requirements  in  terms  of  the  <*-proper ty>  and  an  approach 
to  proving  that  this  property  hold  for  all  otorage  channels>  and 
<legitimate  channels>  of  an  operating  system;  comment  on  the  use  of 
<virtual  time>  to  eliminate  <covert  channels>.  *vl  <confinement  problem; 
hiding,  information;  high  water  mark;  o-functions;  v-functions> 

LisZ74  Liskov,  Barbara  & Zilles,  Stephen  Programming  with  obstract 
data  types>.  SIGPLAN  Notices  9,4(74.4)  (Proc.  Symp.  Very  High  Level 
Languages)  50-59  I*  A form  of  <encapsulation>  is  provided  by  defining 
classes  of  objects  in  terms  of  the  <cluster  of  operations>  available  on 
them.  *)  <type  check ing> 

Mano71  Manola,  Frank  A.  An  extended  data  management  facility  for  a 
general-purpose  time  sharing  system.  (Master’s  thesis)  Univ.  of 
Pennsylvania  71.05  NTDS;  AD-724  801  180p  I*  Extensions  to  scheme 

of  IHsiaGS):  <deny/allow  descr ipt i on8>  for  <record  level  control>; 

<field  level  control>  by  deleting  restricted  keywords  and  corresponding 
fields  from  accessed  records.  »v) 

ManU75  Manola,  Frank  A.  A Uilson,  Stanley  H.  Data  security  implications 
of  an  extended  subschema  concept.  Naval  Research  Laboratory  Report  7905 
75.7.15  IGp 

Mart73  Martin,  James  Security,  accuracy,  and  privacy  in  computer  systems. 
Prentice-Hall  1973  B40p  I*  Includes  descriptions  of  a variety  of 
authorization  schemes,  including  IBM’s  Resource  Security  System.  »v) 

<data  security,  def.;  authorization  structures;  stratification; 
compar  tmental i zat  ion  (isolation);  authorization  tables,  user/data; 
transaction  types;  categories,  user/data;  locks,  data  record;  passwords, 
file;  capability  (training);  lockwords;  zones,  data;  authorization  level; 
security  levels;  access  categories;  need  to  knou;  integrity,  system; 
security  officer;  program  restricted  data;  security  by  association> 

Mcph74  MePhee,  U.S.  Dperating  system  integrity  in  DS/VS2.  IBM  Systems 
J.  13,3(74)  230-252  [*  Seven  types  of  <system  integrity>  errors  in 
forerunner  systems,  and  their  solutions  in  0S/VS2.  *]  <t ime-of-check-to- 
time-of-use  problem;  validity  checking;  identification,  objects;  storage 
protection;  restricted  names;  authorized  program  facility;  program 
authorization;  user-supplied  addresses;  serialization  mechanisms;  user 
data  passed  as  system  data;  errors,  types/examp  I es> 

Mi  I 175  Mi  Men,  Jonathan  K.  Security  kernel  validation  in  practice. 

CACM  19,5(76.5)  244-250  [a  Detailed  description  of  method  and  techniques 

used  to  prove  security  properties  of  a kernel  for  the  PDP-11/45.  *) 
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oecurity  kernel;  >v-property;  simple  security  condition;  descret ionary 
access  control  matrix;  tranquility  principle;  indirect  information  paths; 
0-functions;  V-functions;  el imination  rules;  channels,  leg! 1 1 mate/cover t; 
time  problems> 

f1ins7Ga  Minsky,  Naftaly  Intentional  resolution  of  privacy  protection  In 
database  systems.  CACM  19,3(76.3)  148-159  [vr  Operations  on  data 

retrieved  from  a data  base  by  a user  program  (assumed  written  in  a 
strongly  typed  language)  can  be  restricted  more  strongly  than  with  access 
control  alone,  by  requiring  the  program  to  interact  via  a subschema 
containing  <application  rules>  augmenting  those  of  the  given  language.  >vl 
<intentional  resolution;  privacy  (security);  access  control  limitations; 
database  protection;  database  subschema;  right  (part  of  application  rule); 
brands;  data  analysis,  prevention;  intermediate  results,  hiding; 
confinement;  confidence  modules> 

Nin976b  Minsky,  N.  An  activator  based  protection  mechanism.  Rutgers 
Univ.  Dept,  of  Computer  Science  Technical  Report  No.  25  76.6  40p 

MooC74  Moore,  Charles  G. , III  & Conway,  Richard  Program  predictability 
and  data  security.  Cornell  Univ.  Dept,  of  Computer  Science  TR  74-212 
74.9  12p  [>v  Capabilities  can  be  controlled  at  the  source  language  level, 

allowing  identification  of  potential  <indirect  access>  via  analysis  of 
the  <information  flow  graph>  as  well  as  some  <compi  le-t  ime  enf  orcement>, 
provided  that  the  name  interpretation  and  accessing  semantics  of  that 
language  are  correctly  defined  and  implemented.tvl  oecurity  matrix> 

Moor73  Moore,  B.J.  A classification  of  central  processor  architecture. 
IUCA73  19p  [>'<  Basic  architectural  concepts  and  the  relationships  between 

them,  including  processes,  address  spaces,  and  protection  domains  and 
mechanisms,  iv) 

Moor74  Moore,  Charles  G , III  Potential  capabilities  in  Algol -I  ike 
programs.  Cornell  Univ.  Dept,  of  Computer  Science  TR  74-211  74.9  19p 

[>v  Potential  flow  of  information  in  either  direction  between  a given 
uninterpreted  block  B and  a given  variable  may  be  determined  from  the 
<informatlon  flow  graph>  (for  which  the  construction  algorithm  is  given) 
of  the  program  in  which  B is  contained.  *]  <path  condition;  flow 
condition;  capabilities,  potential> 

Morr73a  Morris,  James  H. , Jr.  Protection  in  programming  languages. 

CACM  16,1(73.01)  15-21  I*  Proposes  <seals>  and  <trademarks>  for 

maintaining  privacy  and  integrity  of  program  module  data.  >v) 

Morr73b  Morris,  James  H. , Jr.  Types  are  not  sets.  Conf.  Record  of  ACM 
Symposium  on  Principles  of  Programming  Languages,  73.10.1-3  120-124 

I*  Introduction  of  <seal  operators,  opaque/transparent>  to  guarantee  the 
integrity  of  operators  on  and  representations  of  objects  of  dynamic 
types.  *J  <authent icat ion  (type  checking);  secrecy  (of  representatlon8)> 


Need72  Needham,  R.M.  Protection  systems  and  protection  implementations. 
FXC72  571-578  (iv  Per  process  <capability  8egment8>;  addressing  via 
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< i ndi rect  i on  tables>  in  which  segment  names  are  bound.  *] 

Necd73  Needham,  R.M.  Protect i on--a  current  research  area  in  operating 
systems.  International  Computing  Symposium  1973.  North-Hol land/American 
Elsevier  Publishing  Company  1974  123-12G  [*  Motivation  for  and 

description  of  the  capability/domain  approach.  *]  <mechanisms,  def.; 
security  of  information,  def.;  Trojan  horse  problem;  file  access  via  given 
program;  regime  of  protection;  segment  as  unit  of  protection;  capabilities; 
enter  capability;  asynchronous  events> 

NeeU74  Needham,  R.M.  & Ualker,  R.D.H.  Protection  and  process  management 
in  the  "CAP"  computer.  11JP0S74  155-1B0  I*  Non-hierarchical  protection 

in  a hierarchically-structured  system.  *1  <capability  segment;  indirection 
table;  ENTER  capability;  protected  procedure;  hierarchical  process 
structure> 

Ncu476  Neumann,  Peter  G.;  Feiertag,  Richard  J. ; Levitt,  Karl  N.  & 

Robinson,  Laurence  Software  development  and  proofs  of  multi-level 
security.  Proc.  2nd  Intern.  Conf.  on  Software  Engineering  IEEE  1976 
421-428 

Neu+77  Neumann,  Peter  G.;  Boyer,  Robert  S. ; Feiertag,  Richard  J. ; 

Levitt,  Karl  N.  & Robinson,  Lawrence  A provably  secure  operating  system. 
Stanford  Research  Institute  Project  4332  Final  Report  77.2.11  483p 
I*  A five-stage  design  methodology  for  general-purpose  operating  systems, 
with  assertions  stated  and  proved  in  an  assertion  language  common  to  all 
stages;  and  the  design  of  a secure  operating  system  achieved  via  that 
methodology,  structured  as  a hierarchy  of  abstract  machines.  *] 

<alteration  principle;  detection  principle;  denial  of  service;  leakage, 
information;  capabilities;  objects;  access  code;  type  manager;  revocation, 
selective;  lost-object  problem;  Trojan  horse  attacks;  mediated  access; 
mutually  suspicious  subjects;  memoryless  operation;  military  security 
classification;  need  to  know;  inference;  confinement  principle;  *-propertyj 
security  kernel;  C-list;  subjects;  domains;  rings;  call  and  return 
mechanism;  capability  channels;  revocable  copy;  distinguished  entry> 

Neum73  Neumann,  Peter  G.  (reporter)  Report  of  evening  session  on 
protection.  SIGPLAN  Notices  8,9(73.9)  (PL0S73)  p27  <hidden  channels; 

move-ui  thout-reading;  read-ui thout-copy ing;  user  interface;  principle 
of  maximum  security;  protection  as  restriction> 

0wcn71a  Owens,  Richard  C.  Primary  access  control  in  large-scale  time- 
shared  decision  systems.  (M.S.  Thesis)  MIT  Project  MAC  TR-89  71.07 

91p 

0uen71b  Owens,  R.  Evaluation  of  access  authorization  characteristics  of 
derived  data  sets.  Proc.  1971  ACM-SIGFIDET  Uorkshop  on  Data  Oescription, 
Access  and  Control  263-278 


Palm73  Palme,  Jacob  Protected  program  modules  in  Simula  67.  Research 
Institute  of  National  Oefense,  Stockholm,  Sweden  FOA  P Report  C 8372 
73.7  2Gp  NTIS:  PB-224  776  (Vf  Requirements  for  <inter-module  protect)on> 
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most  of  them  satisfied  bg  Simula  67. 
to  prevent  external  access  to  class 


Palm74  Palme,  Jacob  Software  security.  Datamation  20,1(74.1)  51-55 

t*  Brief  tutorial.  *1  <deduction  problem;  file  Keys;  error  pattern8> 

ParP74  Parnas,  D.L.  & Price,  U.E.  Using  memory  access  control  as  the 
only  protection  mechanism.  IUP0S74  177-181  (*  Argues  that  a virtual 

memory  that  provides  a separate  address  space  for  each  process  is  the 
only  protection  mechanism  needed  for  basic  access  limitation.  *1 
<virtual  memory  as  protection  mechanism;  need-to-know  principle> 

Pope73a  Popek,  Gerald  J.  Access  control  models.  (Thesis)  Harvard 
Univ.  Center  for  Research  in  Computing  Technology  73.2  153p  NTIS; 

AD-7G1  807  [*  Model  based  on  a <restriction  graph>  whose  nodes  are 
<security  objects>  and  edges  are  <access  paths>;  an  <access  map>  from 
<actors>  to  nodes  is  implemented  as  a map  from  actors  to  boolean  <key 
variables>  and  a map  from  edges  to  boolean  <lock  functions>  of  these 
variables;  implementation  algorithms.  »v)  <locks  and  keys;  collusion; 
filtering  property;  access  graph;  access  control  list> 

Pope73b  Popek,  Gerald  J.  Correctness  in  access  control.  ACM73  236-241 
[*  <Set-theoret ic  model>  of  a <security  8ystem>,  with  proof  of 
correctness.  *)  < inference  problem;  statistical  access  problem;  kerne  I > 

Pope74  Popek,  Gerald  J.  Protection  structures.  Computer  7,6(74.6) 

22-33  [vf  Brief  but  comprehensive  survey.  *]  <mutual ly  suspicious 
subsystems;  memoryless  process;  statistical  access;  inference;  errors, 
examples;  parameter  checking;  synchronization;  higher  level  errors;  hidden 
channels;  security  object;  passive  object;  active  object;  protection  data; 
update  program;  enforcement  rule;  access  matrix;  rights  transfer 
primitives;  capabilities;  environment  binding;  domain;  sphere  of 
protection;  c-list;  revocation;  locked  boxes;  access  control  list;  rings; 
seal/unseal;  data-dependent  access  decisions;  formularies;  principle  of 
least  privilege;  grain  of  protection;  security  kernel;  virtual  machines; 
locks  and  keys;  scope  of  names;  redundant  checking;  penetration> 

PopK74a  Popek,  Gerald  J.  & Kline,  Charles  S.  A verifiable  protection 
system.  SIGPLAN  Notices  10,6(75.6)  (ICRS75)  294-304  [*  <Security 

kerne  I s>,  <virtual  machines>,  and  program  verification;  design 
considerations  of  the  UCLA-VM  System.  *1  <security  sensitive  Instructions; 
security  kernel,  functions;  input/output;  data  security,  def.;  security 
i , objects;  access  predicates;  updater;  capability  faulting;  interrupt ibi I i ty; 

privileged  code,  exclusion  from  user  process;  scheduling;  file  management 
kernel;  existence,  knowledge  of;  kernels,  levels;  levels  of  mechanism; 
direct  access  predicate;  indirect  access  predicate;  objecthood;  Morse  Code 
problem;  vulnerabilities,  multilevel> 


in  programming  systems  and  languages; 
A <H1DDEN  spec i f i cat i on>  is  proposed 
at  tr  i butes.  )V]  <c  I asses,  Simula  67> 
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PopK74b  Popek,  Gerald  J.  4 Kline,  Charles  S.  Verifiable  secure  operating 
system  software.  NCC74  145-151  (*  Approach  to  providing  verifiable 

security;  the  applicability  of  <security  kernel>  designs,  virtual  machine 
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uork,  and  program  verification  techniques;  the  UCLA-VH  system.  >v] 
<constraints;  security  objects;  accessible  sets;  policy,  def.;  modularity; 
owner;  virtual  machines;  security  primitives;  Norse  Code  problem;  updater> 

Pric73  Price,  Uilliam  Robert  Implications  of  a virtual  memory  mechanism 
for  implementing  protection  in  a family  of  operating  systems.  (Thesis) 
Carnegie-Nel Ion  Univ.  Computer  Science  Dept.  73. B 251p  NTIS: 

AD-7GG  292  [*  Operating  system  design  featuring  local  working  subsets  of 

virtual  address  spaces  as  domains  of  protection;  Parnas  specifications  of 
the  operating  system  modules;  formal  verifications.  *] 

Rede74  Redell,  David  D.  Naming  and  protection  in  extendible  operating 
systems.  (Thesis)  NIT  Project  NAC  TR-140  74.11  IBBp  [*  Features 
and  goals  of  typical  capability  systems,  especially  those  related  to 
<revocation>  and  <type  extendibi I i ty>,  and  a proposed  implementation 
for  a system  that  handles  both  these  problems  using  <sealed 
capabi  I i t ies>.  iv)  <base  level  (kernel);  domains  and  processes; 
communication,  interprocess/interdomain;  lost  object  problem;  capabilities, 
protection  of;  identifiers,  unique;  caretaker  domain;  process  control  as 
capability  privilege;  ownership  privilege;  capabilities,  indirect,  chains; 
amplification,  authorization;  operators,  non-monadic;  capabilities,  sealed; 
capability  systems,  goals;  subletting;  revoker  capability;  revocabi I i ty, 
revocable;  trust,  changing  levels;  locker  capability;  extender  capability; 
parameters,  revocable;  directories  in  capability  system; 
comprehensibility  of  protection  mechanisms;  propagation,  knowledge> 

RcdF74  Redell,  D.D.  & Fabry,  R.S.  Selective  <revocation  of  capabi I i t ies>. 
IUP0S74  197-209  [*  Goals  for  revocation  schemes;  two  domain- independent 

schemes  based  on  the  notions  of  < indirect  ion  and  control>;  base- 1 eve  I 
implementation.  *)  <revocabi I i ty  of  revocabi I i ty;  copy  of  capability, 

I i tera I /revocab I e> 

Rhod7b  Rhode,  R.  Secure  multilevel  virtual  computer  systems.  Nitre  Corp. 
NTR-2890  ESD-TR-74-370  75.2  33p  NTIS:  AD/A-007  059 


Rob^75  Robinson,  Lawrence;  Levitt,  Karl  N. ; Neumann,  Peter  G.  S Saxena, 
Ashok  R.  On  attaining  reliable  software  for  a secure  operating  system. 
SIGPLAN  Notices  10,G(75.B)  (ICRS75)  2B7-284  [*  Design  methodology  for 

and  features  of  an  operating  system,  with  security  and  concurrent 
verification  as  goals.  *)  <type  manager;  protection  theorems;  security 
problems,  special;  security,  def.;  security  kernel;  capabilities;  access 
vector;  capabi I i ty  manager > 

Rote74  Rotenberg,  Leo  J.  Naking  computers  keep  secrets.  (Thesis)  NIT 
Project  NAC  TR-115  74.2  393p  (*  Nechanisms  designed  to  solve  classes 

of  problems  associated  with  <proprietary  services;  privacy  restr i ct i ons>; 
and  <authority  hierarchies>.  *1  <segments;  access  control  lists; 
capabilities;  capability  lists;  domains,  postulates;  protection,  abstract 
formulation;  message  system;  caretaker  program;  encapsulation;  argument 
passing;  name  spaces;  naming  hierarchy;  access  control  packet;  revocation; 
ownership  of  domains;  call-out;  call-in;  capabilities,  passing  of;  hidden 
data;  argument  spying;  blind  service;  benign  domain;  billing;  accounting 
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channel;  proprietary  services,  maintenance;  locksmith;  call  packet;> 

Rote7G  Rotenberg,  Leo  J.  (Letter)  Operating  Systems  Review  10,2(76.4) 
5-6  (*  On  the  <soundness>  of  the  privacy  restriction  mechanism  described 

in  tRote74] . *1 

Saal77  Saal,  Harry  J.  A hardware  architecture  for  controlling  information 
flow.  IBM  Research  RC  6414  (#27675)  77.2.28  30p  I*  Proposes  an 

enhanced  <capability  vector  mechanism>  that  improves  on  traditional 
capability  schemes,  which  are  shown  to  be  inconsistent  with  the  <lea8t 
privilege  principle>  and  with  <information  flow  requirements>. 

(Abstract)  *) 

SalS75  Saltzer,  J.H.  & Schroeder,  M.D.  The  protection  of  information  in 
computer  systems.  Proc.  of  the  IEEE  63,9(75.3)  1278-1308  Ivr  Tutorial 

survey:  basic  principles;  < I i st-or i ented  mechanisms>  vs.  <t icket-or iented 
mechanisms>;  <dynamic  author ization>,  <authority  structure3>,  and 
<protected  subsystems>.  *)  <access  control  list;  capabilities;  design 
principles;  failsafe  principle;  separation  of  privilege;  least  privilege; 
psychological  acceptability;  descriptor;  principal;  segment;  domain; 
revocation;  propagation;  review  of  access;  access  controller;  protection 
group;  self  control;  hierarchical  control;  prescript;  discretionary 
controls;  sensitivity  levels;  confinement;  operator-type  restrictions; 
encapsu I at i on> 

Salt73  Saltzer,  J.H.  Protection  and  the  control  of  information  sharing 
in  Multics.  CACM  17,7(74.7)  388-402  I*  Detailed  description  of  the 

protection  mechanisms  associated  with  the  Multics  file  system  and  virtual 
memory,  with  design  principles  and  insights.  vJ  <access  control  list; 
segment  descriptor;  permission  principle;  least  privilege  principle; 
protected  subsystem;  principals;  compartments;  access  modes,  primitive; 
intent  specification;  trap  extension;  file  backup;  system  administrator; 
directories;  authority  hierarchy;  locksmith;  propagation  of  protection 
specifications;  gates;  rings  of  protection;  argument  checking;  i/o 
operations;  channel  programs;  system  initialization;  storage  re3idue> 

Salt74  Saltzer,  Jerome  H.  Ongoing  research  and  development  on 
information  protection.  Operating  Systems  Review  8,3(74.7)  8-24 

[*  Informal  survey  of  work  at  about  30  sites.  *) 

Salt7G  Saltzer,  J.H.  Technical  possibilities  and  problems  in  protecting 
data  in  computer  systems.  In  R.  Dierstein,  H.  Fiedler,  and  A.  Schulz, 
Datenschutz  and  Datensicherung.  J.P.  Bachem  Verlag,  Cologne,  Germany 
76.9  27-36  [*  A brief  survey  of  protection  methods  and  problems.  »v) 

<policy,  informality;  access  control  lists  vs.  capabilities;  access 
control,  container  vs.  data;  limited-use  systems;  protected  subsystems; 
classification  systems;  information  flow,  control;  confinement;  sharing, 
arbitrary  patterns;  inference> 

Scha75  Schaefer,  Marvin  Secure  data  management  system  preliminary 
mathematical  model.  System  Development  Corporation  RADC-TR-74.352 
75.2  42p  NTIS:  AD-A007  748  t*  Descriotion  and  indicated  proof 
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of  a model  of  a <data  access  monitor>  for  a militarily  secure  data 
management  system  to  be  implemented  in  the  Multics  operating  system.  *1 
<c  I ass  i f i cat i on;  clearance;  category;  compartment;  need  to  know; 
w-proper ty;  domination;  high  water  mark;  ownership;  delete  access; 
classification  basis,  record/f ie ld> 

Schi75  Schiller,  U.L.  The  design  and  specification  of  a security  kernel 
for  the  F’DP-11/4B.  Mitre  Corp.  mR-293A  ESD-TR-75-B9  75. B 117p  NTIS; 
AP-ABll  712  t*  Design  approach  (levels  of  abstraction)  and  details  of 
process  management,  segment  management,  security  functions,  and  i/o.  *) 

Schr72  Schroeder,  Michael  D.  Cooperation  of  mutually  suspicious 
subsystems  in  a computer  utility.  (Thesis)  MIT  Project  MAC  TR-104 
72.9  lB7p  [*  Design  of  a processor  to  provide  controlled  passing  of 
parameters  in  <cross-domain  calls>  within  a single  computation.  *] 
<protection,  def. /object ives;  domain;  capability;  protected  subsystem; 
segment  as  unit  of  protection;  gates;  access,  stat ic/dynamic; 

( access  control  lists> 

Schr7B  Schroeder,  Michael  D.  Engineering  a security  kernel  for 
Multics.  Operating  Systems  Review  9,5(1975)  (S0SP75)  25-32  t*  Notion 

of  <secur i ty  kernel>;  motivation,  method  and  activities  involved  in 
j simplifying  the  Multics  security  kernel  to  make  It  easier  to  verify.  *1 

< least  common  mechanism;  rings,  protect ion> 

SchS72  Schroeder,  Michael  D.  4 Saltzer,  Jerome  H.  A hardware  architecture 
for  implementing  protection  rings.  CACM  15,3(72.3)  157-170 

(*  Description  of  the  Multics  ring  structure.  >v)  <segment  as  unit  of 
protection;  domains;  gates;  ring  structure/crossing;  ring  brackets,  read/ 
wr i te/eKecute> 

SevT74  Sevcik,  K.C.  4 Tsichritzis,  D.C.  Authorization  and  access  control 
within  overall  system  design.  IUP0S74  211-224  [*  How  the  kernel  of  the 

SUE  operating  system  solves  various  protection  problems.  »vl  <capabi I i t ies, 
control  of  transfer;  rights,  quantitative;  i solat ion/ interact i on; 
suspicion;  confinement;  sponsor;  excess  I ve  use  of  resources;  volume, 
foreign/local;  revocation;  indirect  capabi I i t i es> 

SevT75  Sevcik,  K.C.  4 Tsichritzis,  D.C.  Operating  system  design  with 
security  as  an  objective.  INFOR  J.  13, 2(75. B)  159-174 

Smit74  Smith,  Grant  N.  The  state  of  practice  of  computer  security. 

IBM74d  1B3-178  (*  Protection  mechanisms  found  in  current  systems.  *] 

<integrity,  data/system;  privilege  levels;  subfile  access  control;  user 
categories;  access  types;  access  control  list;  virtual  memory;  virtual 
machines;  virtual  1 /0> 

Spi^74  Spier,  Michael  J. ; Hastings,  Thomas  N.  4 Cutler,  David  N.  A 
storage  mapping  technique  for  the  implementation  of  protective  domains. 
Software — Practice  and  Experience  4(74)  215-230  [>v  Domain  is  a gated 

<caretaker  procedure>  together  with  the  data  encapsulated  with  It; 
implementation  of  an  <act i vat  ion/ incarnat ion  mechanlsm>.  *)  <domain 
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(protected  subsystem);  kernel> 

Spie73  Spier,  Michael  J.  A model  implementation  for  protective  domains. 
Intern.  J.  Computer  & Info.  Sciences  2,3(73.9)  201-229  I*  A domain 

architecture  in  uhich  domains  are  represented  by  sets  of  descriptors 
specifying  not  only  al louable  primitive  access  modes  but  also  the  mapping 
of  information  structures  (objects  of  processing)  onto  storage  areas 
(objects  of  ounership).  >v] 

Spie74  Spier,  M.J.  A system  theoretic  look  at  the  complexity  of  access 
control  mechanisms.  IUP0S74  225-241  [*  The  <complexity  of  an  access 

control  mechanism>  is  measured  in  terms  of  inter-module  connectivity.  *1 
< iso  I at  ion;  memory  I essness  and  complexity> 

Srin72  Srinivasan,  C.V.  A framework  for  a theory  of  protection.  Rutgers 
Univ.  Dept,  of  Computer  Science  Technical  Report  #1B  72.05 

Stor75  Stork,  D.F.  Downgrading  in  a secure  multilevel  computer  system; 
the  formulary  concept.  Mitre  Corp.  MTR-2924  ESD-TR-75-G2  75.59p 
NT  IS:  AD-A0li  G9G 

StoU74  Stonebraker,  Michael  & Uong,  Eugene  Access  control  in  a relational 
data  base  management  system  by  query  modification.  ACM74  180-18B 
[*  Retrieve  access  is  controlled  by  automatically  ANDIng  access 
restrictions  to  the  user’s  stated  retrieval  conditions  prior  to  their 
interpretation.  >v]  <relational  data  base,  access  control;  query 
mod i f i cat i on> 

Tsic72  Tsichritzis,  Denis  System  Security.  IBM  Thomas  J.  Uatson 
Research  Center  RC  3989  72.8.17 

Tsic73  Tsichritzis,  D.  Reliability.  Lecture  Notes  in  Computer  Science 
Vol.  30:  Advanced  Course  on  Software  Engineering  F.L.  Bauer  (ed. ) 

Spr  inger-Ver  lag  1973  319-373  t*  Introductions  to  basic  concepts  of 

protection  and  security.  *1  <protection  vs.  security;  domain;  monitor; 
unique  names;  capabilities;  revocation;  indirect  capabilities;  mutually 
suspicious  processes;  access  matrix;  access  control  list;  data  dependent 
access> 

Tsic74  Tsichritzis,  D.  A note  on  protection  in  data  base  systems. 

IUP0S74  243-248  I*  Problem  of  <data  base  protection>  is  too  complex  to 
be  solved  by  current  operating  system  protection  mechanisms.  »*c) 

<capab i I i t i es,  inadequacies;  capability  procedures;  protection  rings, 
i nadequac i es> 

Ulha75  Ul  Haq,  Mohammed  Inam  Insuring  individual’s  privacy  from 
statistical  data  base  users.  NCC75  941-94B 

VandG9  Vanderbilt,  Dean  Hanawalt  Controlled  information  sharing  in  a 
computer  utility.  (Thesis)  MIT  Project  MAC  TR-G7  G9. 10.24 


Ual-f74a  Ualter,  K.G.;  Dgden,  U.F.;  Rounds,  U.C. ; Bradshaw,  F.T.;  Ames 
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S.R.  S Shumuay,  D.G.  Primitive  models  for  computer  security.  Case 
Uestern  Reserve  Univ.  Department  of  Computing  and  Information  Sciences 
ESD-TR-74-117  74.1.23  3Gp  NTIS:  AD-778  4B7  t*  Model  of  <governmenta I 

5ecurity>,  and  modified  version  in  uhich  the  <reposi tor ie5>  are 
directories  and  files  of  a tree-structured  file  system.  *1  <agents; 
need  to  knou;  security  classes;  classification;  clearance;  information 
transfer  path;  need  to  modify;  discretionary/mandatory  security> 

Ual-i74b  Ualter,  K.G.;  Ogden,  U.F.;  Rounds,  U.C.;  Bradshau,  F.T.;  Ames, 

S.R.;  Biba,  K.J.;  Gilligan,  J.M.;  Shaeffer,  O.D.;  Shaen,  5.1.  & Shumuay, 
D.G.  Modeling  the  security  interface.  Case  Western  Reserve  Univ.  Dept, 
of  Computing  and  Information  Sciences  Report  No.  1158  74.8  130p 

t*  Approach  to  the  design  of  a <security  kernel>  for  <military  security> 
in  Multics,  by  a process  of  successive  refinement  of  models,  and 
corresponding  proofs  that  security  assumptions  continue  to  hold  for  each 
successive  model.  *]  <security  system;  security  perimeter;  repositories; 
agents;  classification;  clearance;  information  transfer  path; 
d i scret i onary/mandatory  sccur i ty> 

Ual47b  Walter,  K.G.;  Schaen,  S.I.;  Ogden,  W.F.;  Rounds,  W.C. ; Shumuay, 
D.G.;  Schaeffer,  D.D. ; Biba,  K.J.;  Bradshau,  F.T.;  Ames,  S.R.  8 Gilligan, 
J.M.  Structured  specification  of  a security  kernel.  SIGPLAN  Notices 
10,B(75.G)  (ICRS75)  285-293  [iv  Design  methodology  for  a <governmental 
sccur i ty>  system:  successive  refinement  of  models,  about  uhich  basic 
theorems  can  be  proved.  *1  <security  kernel;  information  security,  models; 
information  flou  monitoring;  security  system;  classification;  clearance; 
sensitivity  level;  repositories;  agents;  transfer  relation/path;  executors; 
a I ter  list;  v ieu  I i st> 

Walk73  Walker,  R.D.H.  The  structure  of  a uel l-protected  computer. 

(Thesis)  Cambridge  Univ.  1974 

UcisB9  Weissman,  C.  Security  controls  in  the  ADEPT-50  time-sharing 
system.  FJCCB9  119-133  I*  File  access  is  granted  if  and  only  if  the 
(accumulated)  outhority  level>  of  both  the  user  and  his  terminal  is 
greater  than  that  of  the  file,  and  the  <category>  of  both  user  and  terminal 
includes  that  of  the  file,  and  the  user  is  a member  of  the  <franchi8e>  of 
the  file.  *)  <authority  history;  high  uater  mark> 

Wri875  Weismann,  Clark  Secure  computer  operation  uith  virtual  machine 
partitioning.  NCC75  929-934 

Whit75  White,  J.C.C.  Design  of  a secure  file  management  system.  Mitre 
Corp.  MTH-2931  ESD-TR-75-57  75.4  29p  NTIS:  AD-A010  590  t*  Pre I iminary 

design  of  a file  management  system  intended  to  operate  under  the  Mitre 
PUP-11/45  <security  kernel>.  *)  <access  control  list;  *-property;  access 
control,  hierarchical  directory  structure;  semaphores,  access  restr ict lons> 

Wul-»73  Wulf,  W. ; Cohen,  E.;  Coruin,  W. ; Jones,  A.;  Levin,  R. ; Pierson,  C. 

4 Pollack,  F.  Hydra:  the  kernel  of  a multiprocessor  operating  system. 

CACM  17,B(74.G)  337-345  (*  Salient  features  are  the  dynamic  type/object 

hierarchy  and  the  protection  mechanisms  for  procedure  activations  and 


parameter  passing.  *]  <kernel;  object;  local  name  space;  capability;  call 
mechanism;  protection  vs.  security;  ownership;  privilege  hierarchy; 
type;  kernel  rights;  auxiliary  rights;  parameter  template;  subsystem;  walk 
r i gh  t > 

Zill73  Zilles,  Stephen  N.  Procedural  encapsulation:  a linguistic 
protection  technique.  S I GPLAN  Notices  8,9(73.9)  (PL0S73)  142-14B 

[*  Objects  and  types  are  characterized  only  by  (the  procedures  that 
implement)  the  operators  defined  on  them;  the  protection  features  required 
for  such  <procedural  encapsulation>  are  satisfied  by  <domain 
archi  tectures>.  ivl 
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absolute  vs.  defensive  protection  Lam+77 
abstract  data  types  AmbH77  LisZ74 
access  Jone73 

access  attributes  BelL73a  BelL73b  GraD72  Lainp71 

access  attributes  (types)  Doun73 

access  bracket  GrahGS 

access  categories  Nart73 

access  category  lBnx71 

access  clique  BroS71 

access  code  Denn7Gb  Ncu+77 

access  codes  Elli74  FabrGS 

access  condition  HarH75 

access  control  BroS71 

access  control  features,  language  AinbH77 

access  control  limitations  ttins7Ga 

access  control  list  GraD72  Pope73a  Pope74  Sal575  Salt73  Smit74 
Tsic73  Uhit75 

access  control  lists  Brat75  Con+72b  DaINGB  Doun73  KarS74  LampGB 
Rote74  Schr72 

access  control  lists  vs.  capabilities  Salt7G 
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allocation/deallocation  residuals  Ho)B7B 

a I ter  list  l4al+75 
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associative  programs  IBnK71 
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capabilities,  user  FabrGS 

capability  Jans74  Jone73  Schr72  Uul+73 

capability  (training)  Mart73 

capability  architecture  Coss72  Engl72  Engl7A 

capabi I i ty  archi tectures  Denn7Bb 

capability  channels  Neu+77 

capability  faulting  PopK74a 

capability  list  Denn76b  OenVBG  Lamp71 

capability  lists  ' Rote74 

capabi I i ty  manager  Rob+75 

capability  procedures  Tsic74 

capability  registers  Engl72  FabrBS 

capability  registers,  real/virtual  Engl74 
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certification  mechanism  DenD77 
changes  relation  Ames74 
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classification  BroS71  Scha75  Ual+74a  Ual+74b 
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classification,  derived  Ande72a 

classifications  BelL73a  BelL73b 

clearance  Ames74  Scha75  Ual+74a  Ual+74b  klah 

clique,  user  Frie70 
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cluster  of  operations  Li8Z74 
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communication  by  value  vs.  pointer  Lamp74 

communication,  interprocess/interdomain  Rede74 
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compartmcntal ization  Frie70 

compartmcntal ization  (isolation)  Mart73 

compartments  DoMn73  Salt73 

compile  time  access  control  Con+72a 

compile-time  checking  Con+72a  Con+72b  Den+74  Fer+75  JonL76b 

compile- time  enforcement  MooC74 

comp i I e-t i me/run- t i me  enforcement  Denn7Ba 

compiler  trap  doors  KarS74 

completeness  JonL75 

completeness  requirement  GraD72 

complexity  of  an  access  control  mechanism  Spie74 

comprehensibility  of  protection  mechanisms  Rede74 

confidence  modules  Mins76a 

configuration,  protection  system  Har+75 

confined  computation,  def.  Andr74 

confinement  CohJ75  JonL75  Nins7Ga  SalS75  Salt7B  SevT74 

confinement  mechanism  Den+74 

confinement  of  errors  Denn7Bb 

confinement  policy  Jonl475 

confinement  principle  Neu+77 

confinement  problem  Den+74  Lamp73  Lipn75 

confinement  property  DenD77 

conservation  CohJ75 

consistency,  policy  Doun73 

consistency,  single  variables  Bis+75 

constituent  rights  Jone73 

constraints  PopK74b 

constraints,  updation  (policy)  Doun73 

constructive  design  Pope74 

contextual  sensitivity  BroS71 

control  access  BelL73b 

control  attribute  Down73  GraD72 

control  profile,  user  Hoff71 

control  protection  LampB7  LampBS 

control  transfers  LampBS 

control,  transfers  of  Coss74 

copy  flag  GraD72  Lamp71 

copy  flag,  transfer-only  GraD72 

copy  of  capability,  I i tera I /revocable  RedF74 

cour i cr  po I i cy  JonU75 

covert  channels  Bran73  Den+74  Lafflp73  Lipn75 

criticality  Car I7B 

cross-domain  calls  Schr72 

data  access  monitor  Scha7& 

data  analysis,  prevention  (1ins7Ba 

data  base  access  control  Fer+75 

data  base  privacy  mechanisms  GriU7B 

data  base  protection  JonU75  Tsic74 

data  base  scheme  Car+71  Con+72b 
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data  dependent  access  Tsic73 

data  dependent  conditions  Con+72a 

data  dependent  decisions  Hoff71 

data  management  systems  Ande72b 

data  mark  machine  Denn76a 

data  security  JonL75 

data  security,  def.  Mart73  PopK74a 

data-dependent  access  decisions  Pope74 

database  protection  f1ins7Ga 

database  subschema  Mins7Ga 

debugging  problem  GraD72 

decision  rule  Con+72a 

decision  sequences  BelL73a  BelL73b 

decision  verification  Denn7Gb 

decisions,  prior/future  CohJ75 

decisions,  uni  lateral /negotiated  CohJ75 

declared  rights  Jone73 

declassification  Den+74 

eduction  problem  Palm74 

defensive  programming  Lind7Gb 

definition  of  controlled  resources  IBI1k71 

degree  of  protection  El  1174 

delete  access  Scha75 

denial  of  service  Neu+77 

deny/allow  descriptions  (1ano71 

descret i onary  access  control  matrix  Mi  I 175 

descriptor  SalS7b 

descriptor  (capability)  Fer+74 

descriptor-based  architecture  Ande72b 

descriptors  Ande72a  Brat75 

descriptors,  privacy  Denn7Gb 

descriptors,  protection  Brat75 

design  principles  SalS75 

detectability  Brat7b 

detection  principle  Neu+77 

diagonal  system  Con+72a 

direct  access  predicate  PopK74a 

directories  Lind7Bb  Salt73 

directories  in  capability  system  Rede74 

directories,  protection  Brat75 

directory  initiation  Brat75 

directory  of  authorized  users  Con+72b 

discretionary  controls  SalS75 

discretionary/mandatory  security  Ual+74a  Ual+74b 
discretionary/nondiscretionary  controls  Lind7Bb 
disengagement  Den+74 
distinguished  entry  Neu+77 

domain  Lamp71  Lamp74  Pope74  Sal  575  Schr72  Tslc73 

domain  (protected  subsystem)  Spi+74 

domain  architectures  Zill73 

doma i n chang i ng  Denn7Gb 

domain  of  authorization  HarH75 
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domain  euitching  Lind76b 

domains  CohJ75  Fer+74  GraD72  Lamp69  LafflS7S  Lind7Bb  Neu+77  SchS72 

domains  and  processes  Rede74 

domains,  postulates  Rote74 

dominance,  access  history  HarH75 

domination  Scha7S 

dynamic  authorization  SaiS75 

dynamic  linker  Jans74 

dynamic  rights  Jone73 

dynamic  type  creation  Jone73 

elimination  rules  hi  I 175 

encapsulated  type  Fer+74 

encapsulation  LisZ74  Rote74  SaiS75 

encapsulation,  process  Denn7Gb 

enforcement  process  HarH75 

enforcement  rule  Jone73  Pope74 

engagement  Den+74 

enter  access  Engl72  FabrGS 

enter  access/instruction  Fabr74 

enter  capability  Denn7Gb  Engl74  Need73  NeeU74 

enter  right  Lind7Gb 

entry,  protected  EvaLG7 

environment  Andr74 

environment  binding  Pope74 

environment  binding  rule  Jone73 

environment  crossing  operations  JonU75 

environment  crossing  operators  Jone73 

environment  of  domain  Fer+74 

environment  representations  Jone73 

environment,  open/closed  Denn7Gb 

environments  Jone73 

error  conditions  Den+74 

error  decision  BelL73b 

error  patterns  Palm74 

error  types  Lack74 

errors,  examples  Bis+75  Carl7B  HolB7B  Pope74 

errors,  integrity,  taxonomy/categor ies/examples  Abb+7G 

errors,  typcs/examples  hcph74 

excessive  use  of  resources  SevT74 

execute-only  access  Dal074 

executors  Ames74  Ual+75 

existence,  knowledge  of  PopK74a 

extended  resources  HarH75 

extended- type  manager  Lind7Gb 

extended-type  objects  Lind7Gb 

extender  capability  Rede74 

failsafe  principle  SalS75 

field  level  control  Car +71  Con+72b  hano71 

field,  protected  Frie70 

file  access  control  Gain72  HsiaGS 

file  access  control  scheme  Bar+G7 

file  access  via  given  program  Need73 


file  authorization  Ande72b 

file  backup  Salt73 

file  control  code  BingGB 

file  directories  DalNGG 

file  groups  DalD74 

file  keys  Pa  I ni74 

file  management  kernel  PopK74a 

filtering  policy  JonlJ75 

filtering  property  Pope73a 

flow  condition  Moor 74 

flow  relation/policies  DenD77 

formal  specification  Burk74 

formularies  Pope74 

formulary  Hoff71 

franchise  UeisGB 

franchise,  user/operation/resource  unit  HarH75 
freezing  CohJ75 
functional  access  Fer+75 
gate  Jans74 

gatekeeper  GrahGS  JonU75  KarS74 

gates  LampGS  Salt73  Schr72  SchS72 

generic  weaknesses  Bran73 

global  object  name  systems  Laue74 

goals,  protection  mechanisms  Lind74 

governmental  security  Ual474a  Ual+75 

grain  of  protection  Pope74 

grant  Cha^7& 

grant  command  GraD72 

grants,  labeled  GriU7G 

group  (protect i on  category)  Frie70 

grouping  of  users  and  resources  IBrix71 

hidden  channels  Neum73  Pope74 

hidden  data  Rote74 

HIDOEN  specification  Palm73 

hiding,  information  Lipn75 

hierarchical  access  control  Ande72b  DaINGB 

hierarchical  control  SalS75 

hierarchical  process  structure  NeeU74 

hierarchically  structured  operating  system  0onM75 

hierarchically  structured  systems  ChaS76 

hierarchies,  subject,  advantages  GraD72 

high  water  mark  BroS71  JonL75  Lipn75  Scha75 

higher  level  errors  Pope74 

i/o  channels  Ande72a 

i/o  operations  Salt73 

identification  Brow71  Lamp71 

identification,  objects  McPh74 

identification,  subjects  Gra072 

identifiers,  unique  Rede74 

implied  sharing  Ande72a 

implied  sharing  vulnerability  Ande72b 

incomplete  parameter  checking  Ande72b 
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I indirect  access  GraD72  nooC74 

I indirect  access  predicate  PopK74a 

j indirect  capabilities  SevT74  Tsic73 

I indirect  information  paths  Hi  I 175 

1 indirection  Lind7Bb 


indirection  and  control  RedF74 

indirection  table  NeeU74 

indirection  tables  Need72 

inference  Ande72b  Neu+77  Pope74  Salt7B 

inference  problem  Pope73b 

inf luencabi I i ty/ inf luent iai i ty  Car I7B 

information  control  vs.  access  control  JonL75 

information  flou  DenD77 

information  flow  graph  MooC74  Moor74 

information  flow  monitoring  Ual-i-75 

information  flow  requirements  Saal77 

information  flow,  control  Salt7G 

information  flow,  expl ici t/impi ici t Denn7Ba 

information  security,  models  Ual+75 

information  structures,  control /computing  Andr74 

information  transfer  path  Ual-t-74a  Ual+74b 

inherit  (access  type)  Fer+75 

initialization  CohJ75 

input  validation  Brow71 

input/output  PopK74a 

integrity  constraint  He  I +75 

integrity,  data  Brow71 

integrity,  data  base  He  1+75 

integrity,  data/system  Smit74 

integrity,  def.  ChaS7B  ponH75 

integrity,  system  Frie70  Mart73 

intent  specification  Salt73 

intention,  explicit  Atta73 

intentional  resolution  hins7Ga 

intci — module  protection  Palm73 

interactivity  principle  BelL73b 

intermediaries  Lind7Bb 

intermediate  results,  hiding  Hins7Ba 

interrupt ibi I i ty  PopK74a 

isolation  BelU74  Brow71  Fabr73  Lamp74  Spie74 

isolation  level  Elli74 

isolation  mechanisms  Ande72a 

isolation,  authorization  mechanism  Frie70 

isolation,  def.  ChaS7B 

i so  I at i on/ interact  ion  SevT74 

i tern  code  Car+71 

i tern  key  Car+71 

kernel  Fer+74  Pope73b  Spi+74  Uul+73 

kernel  rights  Uul+73 

kernels,  levels  PopK74a 

key  GraD72 

key  variables  Pope73a 
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lattice  mode  I DenD77 

layers  of  protection,  advantages  GrahGS 

leakage,  information  Neu+77 

leaking,  rights  Har+75 

least  common  mechanism  Schr75 

least  privilege  SalS75 

least  privilege  principle  Saal77  Salt73 

legitimate  channels  Lipn75 

levels  of  classification,  undesirability  Frie70 

levels  of  mechanism  PopK74a 

levels  of  protection  GraD72 

levels  of  representation  Burk74 

limited-use  systems  Salt7G 

link  fault  handling  Jan374 

list-oriented  mechanisms  SalS75 

load/store,  capabilities  Engl74 

local  name  space  JonU75  Uul+73 

lock  functions  Pope73a 

I ock  list  GraD72 

lock-and-key  mechanism  Con+72b 

lock-and-key  scheme  Gain72 

locked  boxes  Pope74 

locker  capability  Rede74 

locks  and  keys  Down73  Pope73a  Pope74 

locks,  data  record  t1art73 

locksmith  Rote74  Salt73 

lockMords  Mart73 

login  program,  file  HsiaGS 

looks-at  relation  Ames74 

lost  object  problem  Neu+77  Rcde74 

lost  objects  CohJ75 

lying  to  prevent  detectability  Brat75 

manager  problem  Andr74 

mandatory/discretionary  controls  Ames74 

manipulators  Ames74 

masking,  channels  Lamp73 

master  mode  KarS74 

matrix,  user-privilege  Frie70 

maximally  complete  mechanism  JonL75 

mechanism,  def.  Andr74  JonL75 

mechanisms,  def.  Need73 

mechanism  requirements  ChaS7B 

mechanisms,  functions  JonU75 

mediated  access  Neu+77 

memory  environment  Lamp74 

memory  protection  LampB7  Lamp74 

memory  I ess  operation  Ncu+77 

memory  I ess  procedure  Jone73 

memory  I ess  process  Pope74 

memory  I ess  specifications  HarH75 

memory  I ess  subsystems  GraD72  JonL75 

memory  I essness  Lamp73 
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memory  I essness  and  complexity  Spie74 

message  confinement  Andr74 

message  model  Lamp7A 

message  system  f-abr73  Lamp71  Rote74 

military  security  Ual+74b 

military  security  classification  Neu+77 

military  security  model  Doun73 

modification  CohJ75 

modify  relation  Ames74 

modularity  Lind7Gb  PopK74b 

modules  AmbH77 

monitor  Tsic73 

monitor,  object  type  GraD72 

monitoring  policy  JonU75 

monitors  Andr74 

Horse  Code  problem  PopK74a  PopK74b 

move-ui thout-reading  Neum73 

multi-level  security  KarS74 

multiple  domain  processes  0enn7Gb 

mutual  exclusion,  customer  processes  Den+74 

mutual  suspicion  Andr74  CohJ75  Fer+74  Lind7Gb 

mutually  suspicious  processes  Tsic73 

mutually  suspicious  subjects  Neu+77 

mutually  suspicious  subsystems  Gra072  Pope74 

name  space  mode  I Jans74 

name  spaces  Rote74 

name,  I oca  I /system  Denn7Gb 

names,  concealment  Frie70 

names,  scope/sharing/protection  GeoS73 

naming  hierarchy  Rote74 

need  to  know  Down73  1611x71  Lipn72  Mart73  Neu+77  Scha7S  Ual+74a 

need  to  modify  Ual+74a 

necd-to-knou  categories  BelL73a 

necd-to-knoM  principle  GrahGS  Jone73  ParP74 

nested  address  space  systems  Laue74 

non  leakage  Den+74 

nonretention  Den+74 

numerical  measure  of  security  Lam+77 

o operators  JonL75 

o- functions  Lipn75  Mi  I 175 

object  Jans74  Jone73  Uul+73 

object  system  Lamp71 

objecthood  PopK74a 

objects  BroS71  Doun73  Fer+74  GraD72  JonU75  Lind76b  Neu+77 

observability  postulate  JonL75 

observe  relation  Ames74 

operator-type  restrictions  Sal575 

operators,  non-monadic  Rede74 

operators,  strong/ueak  Fer+74 

own  right  Har+75 

owner  Hs i aG8  PopK74b 

owner  attribute  Down73  GraD72 
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ounership  CohJ75  Jone73  Lamp71  Scha75  I4ul-f73 

ownership  of  domains  Rote74 

ownership  privilege  Rede74 

ownership,  absolute/conditional  HarH75 

parameter  checking  Pope74 

parameter  checking,  incomplete  Bran73 

parameter  passing  AmbH77  Bis+75  Jone73 

parameter  spaces  EvaLG7 

parameter  template  Uul+73 

parameters,  revocable  Rede74 

part  owner  Bar+B7 

partial  rejection  HarH75 

passive  object  Pope74 

passwords,  file  Frie70  LampGS  Mart73 

path  condition  l1oor74 

penetration  Pope74 

penetration  techniques  KarS74  Lack74 

permission  principle  Salt73 

policy,  def.  JonL75  PopK74b 

policy  vs.  mechanism  Jone73 

policy,  informality  Salt7G 

prescript  SalS7& 

primitives,  protection  state/environment  Andr74 
principal  SalS75 
principals  Salt73 
principle  of  control  Andr74 

principle  of  least  privilege  Jans74  Lind76b  Pope74 
principle  of  maxi  mum  secur i ty  Neum73 
privacy  Brow71 
privacy  (security)  Mins7Ga 
privacy  restrictions  BelL73b  Rote74 
privacy,  def.  ChaS7G 
privilege  hierarchy  Uul473 
privilege  levels  Smit74 
privilege  list  BroS71 
pr i V i I eye  number  Denn7Gb 
privilege  state  mechanism  Denn7Gb 
privilege  structure,  complexity  Frie70 
privileged  code,  exclusion  from  user  process  PopK74a 
privileged  instructions,  deficiency  GrahGS 
privileged  mode,  nonnecessity  Eng  1 72  Eng  1 74 
privileges,  program/user  Frie70 
procedural  controls  Ande72b 
procedural  embedding  CohJ75 
procedural  encapsulation  Zill73 
procedural  vulnerabilities  KarS74 
process  control  as  capability  privilege  Rede74 
process  isolation  Denn7Gb 
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